I'm developing an Outlook add-in that consists of a React front-end and a dotnet core back-end service. I retrieve an an access token using the Office.js lib.
Office.context.mailbox.getCallbackTokenAsync({isRest: true}, async (result:Office.AsyncResult<string>) => {
});
The access token is sent to the back-end service and used to retrieve Graph access and refresh tokens.
My question, should I also be using the Office.js access token as an Authorization header in requests from the add-in front-end to the back-end? Would it provide any additional level of security or can I discard it once I've retrieved the Graph tokens?
The token you're getting back is only usable with Microsoft Graph, and only for that user's mailbox. If you decode the token using https://jwt.ms you can see exactly which scopes are assigned (it's very limited).
If you want to leverage the user's identity for your own backend, there are a couple of options.
Authenticate a user with an SSO token in an Outlook add-in (preview)
Authenticate a user with an identity token for Exchange
There is an overview of authentication available at Authentication options in Outlook add-ins.
Related
I have a .Net core web Api calling google drive api. The google drive api should authenticate the api call with Okta and authorize. How can this be achieved?
Should i setup the auth application in Okta dashboard and generate client id and authentication token?
Which before calling google api will be used to get bearer token from Okta and shared with the google api?
Will be registered with google admin console and generate the tokens?
The domain of the api will be google.api.com ... so no where it is going to Okta for authentication
What you do with your Okta site will be after you have gained access to the google api on behalf of your users. a bearer token from Okta will not grant you access to a google api you need to go though googles authorization server to get that.
In order to access the Google Drive api and access private user data. The owner of that data will need to authorize your access.
To do this we use something called Oauth2. The issue you will have is begin that you say you are using a web api to call Google you will need to create a web application on the side where your users can authorize your application to access their data. You will need to register your application with google on Google Developer console. Create a web client credentials. Then when the user has authorized your application to access their data you will will need to store the refresh token in your system associated with the user.
Then your web api will be able to access the users data by loading the refresh token and requesting a new access token.
There is currently only one sample web-applications-asp.net-core-3 for .net core web applications it doesn't show how to store the refresh token you will need to work that out.
I do have a video on setting up asp .net core with the google people api it might give you a starting point How to get a Google users profile information, with C#. as well as one on how to create a How to create Google Oauth2 web application credentials in 2021.
I've been following Microsoft's documentation where a client can call a middle tier API using an access token which in turn uses the same access token as an assertion to obtain an access token from Microsoft Graph (the downstream API) to be able to call Graph API's.
My question is, does that access token from the client have to come from Microsoft? If not (for instance, our access tokens come from an on premises Identity Server), how does Microsoft verify the authenticity of the access token from the client?
The access token needs to come from Azure AD. https://learn.microsoft.com/en-us/graph/auth-v2-user
Have a look at the definition of OBO flow
For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
I.e. the original token must have come from AAD to be used for exchange for another token.
I am working on an ASP.NET Core 2.0 API. Currently this API supports a Service to Service workflow where the client console application obtains an access token from Azure AD using their console application's Azure AD app registration AppId/AppKey values.
To support this, my API uses...
// Add Azure AD OAUTH2.0 Authentication Services
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
in Startup.cs ConfigureServices method and...
app.UseAuthentication();
in the Startup.cs Configure method. And finally the ...
[Authorize]
attribute along with the...
using Microsoft.AspNetCore.Authorization;
using statement in my controllers.
This is all working fine right now.
However, I now have a need to allow an admin web app to access my API. This admin web app will use Azure AD to authenticate the user login and obtain an Identity Token. I want my API to also be able to accept this Identity Token to;
Allow access to the API, and
Allow my API to identify the user and make decisions in the API
based upon the user identity's claims.
Can ASP.NET Core 2.0 support both access token and identity token without breaking what I currently have working with the service to service workflow?
That should work fine - your above breakdown needs some minor tweaks though:
THE CONSOLE APP
Gets a simple access token based on an API key - the access token is NOT user specific and represents the application identity.
THE ADMIN WEB APP
Users login and get an id_token AND an access_token. The id_token is just used by the web app as proof of authentication and never sent anywhere.
The access_token is user specific and can be used to call the API and get personalized data.
THE API
The job of the API is to receive access tokens and authorize based on claims from the token. For the console app the claims will only contain the application identity via a 'client id' claim. For the web app you will also be able to identify the user - most commonly via a 'sub' claim (there may be other user claims such as email).
We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.
That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.
Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.
Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.
I'm hoping that I'm simply doing something wrong and this is a valid approach.
Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?
Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.
If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.
Use the tasks APIs in Graph even though they are in beta.
Make sure that you obtain a refresh token when you request your Graph token (by including the offline_access scope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.
You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.
Just want to share how you can exchange Graph RefreshToken to a Outlook AccessToken using postman. (You can do this in whatever code language you wish)
First lets show how you use a RefreshToken to get a new Graph AccessToken:
Then use the Graph RefreshToken to get the new Outlook AccessToken:
Hope this might help some other people :)
I have created a new asp.net core 2 web application. I'm using individual user accounts and added my Microsoft account for external authentication. All of this works like expected.
Now I want to use Microsoft Graph to read my .live profile and eventually read my mailbox and things like that.
I created an authentication provider and I'm able to get an access token back but why I try to use the access token, I'm getting an Authorization_IdentityNotFound error although my clientId and secret is correctly entered.
I think it's caused by the fact that I'm not using the proper parameters to request the access token. I think I'm missing the authorization response code that is normally returned when I sign into my .live account.
Does anyone know how to retrieve that response code or has a working example in asp.net core2. The only sample I can find is in .net core 1.1 and things have changed rather drastically since then.
You're confusing a few different systems here.
In order to access Microsoft Graph API you'll need to pass an Access Token in the authorization header of your call. This is used to both provide Microsoft Graph with your identification as well where you're data is stored (you're tenant).
The actual Access Token isn't issued by Microsoft Graph, it is issued by your tenant. For work/school accounts this is the Azure Active Directory tenant where your account lives. For personal account this is the Outlook.com tenant.
Prior to receiving an Access Token, you first retrieve an Authorization Code. This is returned to the redirect_url you passed to login.microsoftonline.com after you've entered your credentials. Your app then takes this Authorization Code and exchanges it for an Access Token that you'll use to call Microsoft Graph.
If you're looking for a authentication library to handle this process, you should use MSAL.NET. You can find instructions for using this library in the microsoft-authentication-library-for-dotnet repository on GitHub.
Once you have a token, you can either call Microsoft Graph directly or you can leverage the Microsoft Graph Client Library for .NET.