I need to get an access token for my server to user without a user having to authenticate.
I do this for DropBox and want to do it for OneDrive.
I have a service that needs to save files in its own OneDrive acct and then also copy some files to users' accts.
For the user we will authenticate with either the Token or Code flow. However, for the server I just want to have access token. In DropBox you get the access token on the App Settings page, but I can't figure out how to do it for Graph
Assuming you're talking about OneDrive Business, it sounds like you want to get an app-only token. Such a token will require a tenant administrator to consent, but after that it can access the service without any user.
If you're talking about OneDrive Personal the scenario isn't possible - all tokens are required to have app and user claims, and therefore require to sign in.
Related
This is my app's api permissions
api permissions
This is my postman settings
postman settings
I can get token successfully using an AD admin account
I can get all users successfully
user list
I can create calendar event successfully using this AD admin' user id
enter image description here
I can not create calendar event using another user id
enter image description here
First, this is the document api for introducing the api permission, you can see Permission type with Delegated and Application.
The second, this is the section for introducing the request example, you can see that there are 2 types /me and /users/{id | userPrincipalName}.
The difference between the 2 kinds of api permission is that, using Delegated permission means we need to make users sign in first to generate the access token and call the api, while Application permission not. So when we use Delegated api permission, we can use api request like /me because the token contained the user information so graph api knows who is me and me is authorized to access this api. So we can also use users/user_principle_name_of_the_signed_in_user here. But it doesn't mean we can use another user principle name here, because other users aren't authorized in the access token.
How can we put any user of your tenant into the request and call the api successfully? We need to use Application permission here. When you add api permission, you may notice it and please add application api permission. Then we need to use client credential flow to generate access token with application permission. Then you may try yor failed request with the new token.
Application permission means you are calling the graph api on behalf the application, so it doesn't require users to sign in, but using delegated permission is much more safe since it will generate access token with limited scope(the api permission you defined in the token generating request), but client credential flow uses /.defalut as the scope, this means all the application api permission in the azure ad application will be added to the generated token, you can't control which application permission is allowed and which is not allowed in one token.
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
I have an backend API in an Azure Website that I like to protect using Azure AD.
As I understand it I'll first do an App Registration, use information registration as part of the sign in to get a token back to the client.
I can then send that token to the API and validate the token in the backend API to verify it.
But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?
I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?
Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?
Or is there another way of doing this?
But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?
A token only gives access to the API identified by the audience (aud) claim in the token.
Nothing more.
So if your client app asks for an access token to your API, that token is only valid on that API.
I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?
Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?
Yes.
You can find the enterprise app (service principal) for the API, enable Require user assignment, and then assign the users/groups you want to have access to the API from Users/Groups tab of the enterprise app.
Access token acquisition will then fail for users who are not assigned.
If you are using the same app registration for both the client and API, then you have to remember that you should acquire an access token regardless to call the API.
Don't use the id token.
Also in that case, a user who is not assigned to the app will fail login.
Situation description:
I need to dynamically download reviews from an Facebook page to display them on my site. For testing purposes I'm using a page access token generated from the user (page admin) access token (using Graph API Explorer). Unfortunately this token is short lived.
As stated in the Graph API documentation (https://developers.facebook.com/docs/facebook-login/access-tokens) to obtain long lived page access token I need to use long lived user access token. To obtain long lived user access token I need to post a request using short lived user access token and my FB app credentials.
To automate the whole process for the admin of my site I want to obtain his user access token and then process it in the way to obtain a long lived page access token (I created an app specifically for this use).
My question is: how can I make a call that asks a user for permission to 'manage_pages' and returns short lived user access token? I don't want it to have anything to do with my site registration and login process, I'm not using Oauth, I'm not logging users via Facebook. I want user to type his FB credentials, grant my app his 'manage_pages' permission and that's it. I'd like it to be as similar to 'Get Access Token' feature in Graph API Explorer (https://developers.facebook.com/tools/explorer).
For a desktop application, how can I get the access token by participating directly in the OAuth flows.
I don't want the user to go through browser and provide me the access token.
Secondly, how can I know what are the users the application is authorized by
and how the application can know if it is authorized by somebody and what is the access token for the same ?
"how can I get the access token by participating directly in the OAuth flows."
By storing a refresh token in your server
Secondly, how can I know what are the users the application is authorized by
The user can only authorize your app with your app's involvement. So you simply need to store a each authed user in a list
and how the application can know if it is authorized by somebody and what is the access token for the same ?
By attempting to do an auth with force-approval = false; If he is authed, you'll get an access token. If he isn't, he'll be prompted for auth.