How to allow all Outlook users to Use MS OAuth2 - oauth-2.0

I have created one application where I am using MS oauth2. But It's allowing only my Azure AD user to use MS auth. I want to make it available for all outlook users. So what changes I need to made in manifest or any other file in Azure?
I am Getting below screen after login using any other outlook account:

It seems you are having trouble with personal#outlook.com account while login azure portal tenant
Error You Have Encountered :
I have successfully reproduce your problem. See the screen shot below:
Reason Of Error:
The email account you are trying to log in with. Is not exist on your current tenant.
Resolution:
Go to your tenant where you would like to add your example.outlook.com account to login into and follow below steps:
Azure portal
Azure Active Directory
Users
New Guest User
Put Your example#outlook.com email
Invite
See the screen shot below:
Issue Solution and Test:
After above steps I have successfully login with example#outlook.com. See the screen shot below:
Access Code:
Access Token With Code:
Decode Token:
You can decode your token on https://jwt.io/
See the screen shot below:
Note: Once you successfully add your example.outlook.com email account on your tenant you can get your token with login.

Related

"Error 403: access_denied" when usign Google OAuth

I am trying to understand the basic logics for receiving GMail emails with Google OAuth. I see this document Authorizing Your App with Gmail
Now I follow the instructions in Setting Up POP3 Importing with OAuth via Google to setup POP3 with Google OAuth.
I login one Google account(Account1) and then in Google Cloud, create the Google App and OAuth Client ID.
Then I start connect to GMail account(Account2) with the web application(WHMCS). When connecting, it asks me to choose an account that create the app, so I choose Account1. But get the following error:
Error 403: access_denied
The developer hasn’t given you access to this app.
Thus I am a bit confused. Since Account1 is used to create the app and OAuth Client ID, it should be able to access the app when I choose Account1, but the app will not be able to access the data in Account2. Or does the App in the error message means Gmail, not the app I created in Google Cloud?
Should I use Account2 to create the app for receiving emails in Account2? If yes, then for each Gmail account, should I create a separate app accordingly?
Update
Now I try to do as follows:
Use Account3(The admin of Google Workspace) to create the Cloud Project, Consent Window, Client ID, etc.
Then when connecting from WHMCS on our domain datanumen.com, it asks me to choose the account, I choose Account3, and then see a new window as below:
I then select "Allow" button, but then see the following error:
Connection unsuccessful. Please close this window and try again.
Update
I try several times. And find the first time will be successful. I forget enable POP3 in my Gmail account. After enabling it, everything is fine.
I am a bit confused as to what you are trying to do here.
You created a project on Google cloud console and created client id and client secret for the authorization of your project.
All this does is create a project that will be allowed to use Oauth2 to request authorization of a user to access their data.
If I understand what WHMCS is trying to do. Its going to let you use your client id and client secret to request access of a user to access their data.
So when it asks you to authorize a user this is the user whos data you want access to. That user must be added as a test user over on Google cloud console for the project that you created.
The project you create on google cloud console is still in the testing phase. Each user you want to allow to test your application must be added as a test user. Other wise only the owner of the project can test the applicaiton.
To fix this issue for me was this simple:
Go to https://console.developers.google.com/
open the project in question.
Click "OAuth consent screen" on the left.
Under "Test users" there is a button called "+ ADD USERS"
Type the email of the account you will be testing with, press enter, then click save.
It should work now
It seems like they updated this recently because last year I did not have to do this.
workspace
The issue you may be having is that if you created this project on a workspace account then i suspect only workspace domain users are going to be able to authorize it. It cant be authorized by someone on the standard google domain. So try with a workspace domain user. The same may go the other way I have never tried tbh. I tend to keep workspace within its domain.

Read outlook mails through MS 365 graph client without login form

I have to read Outlook emails from an inbox in a Windows Console Application. I am trying to use MS Graph Client for the same. Problem is I don't want to login to generate access token. How should I go about generating access token without a login form ? I will appreciate any help.
I have tried the solution given in this article, but couldn't get it working as I didn't know redirectUrl and couldn't resolve some references for the given code.
Single user -> Use device code flow
If you want to access the mailbox of a single user: you can use the Device code flow documentation.
This flow allows you to display a code to the user, they go to the device login page and authorize your application. You also get a refresh token so this access can be used for a log time.
Any user in organization -> Use client credentials
If you want to access any mailbox of the entire organisation you can check out this answer and replace the required permission by Read mail in all mailboxes.

Can't get permissions for Microsoft Graph API Drive integration

we are using Microsoft Graph API for uploading files for business and personal accounts.
After the account logs in, we ask for some permissions, but we don't add the once needed for OneDrive. After the user explicitly requests to upload a file we send another request for an AccessToken including all scopes until now + files.readwrite.all. This was working perfectly until (maybe) a month ago. Now it works for business accounts, but not for personal accounts.
Steps that we do:
Redirect the user to login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmywebsite.com%2Fsignin-microsoft&response_type=code%20id_token&scope=openid%20offline_access%20profile%20email%20mail.readwrite%20mail.send%20contacts.readwrite%20calendars.readwrite%20people.read%20user.read%20files.readwrite.all&response_mode=form_post&nonce=636656...&state=CfDJ8MLMcPchE...
The user selects their account (whit which they are already signed in)
They get redirected to https://login.live.com/oauth20_authorize.srf with the following sreen:
The permissions are not added for our application and we don't get any error.
Here is also the response from the error page:
Error Info
"/pp1600/oauth20_authorize.srf?client_id=9d3c...&scope=openid+offline_access+profile+email+mail.readwrite+mail.send+contacts.readwrite+calendars.readwrite+people.read+user.read+files.readwrite.all&redirect_uri=https%3a%2f%2fmywebsite.com%2fsignin-microsoft&response_type=code+id_token&state=CfD...&response_mode=form_post&nonce=636...&x-client-Ver=5.2.0&display=host&uaid=521...&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&username=pesho..."
loginserverprotocolhandler(846)
HR=0x80041018
Method string:GET
URL:"/pp1600/oauth20_authorize.srf"
Query string:"code=5"
Server protocol:HTTP/1.1
Update: after a couple of tries i actually managed to grant access to one of my accounts for the OneDrive integration. Not really sure what changed. I was just logging in and out with different Outlook accounts in Outlook and in our app. After that, i tried the same process with a different account and it failed again. Every time I was trying this I was logged with the same account on both places.
One more thing that I noticed is that before the consent was for all permissions and now the consent screen showed request only for the files permission.

Can you hard code an Azure AD login into an application?

I'm designing an application that uses embedded Power BI reports that requires an authentication token from an Azure AD account to view the report.
On navigating to the page that holds the report, the user is directed to a Azure AD portal login, and once they enter their credentials they are redirected back to the correct page with a url that contains the access token. The token is then pulled from the url and used in displaying the report.
So my question is (seemingly) simple: Can I skip the navigating to another page and somehow hard code an Azure login into my app?
I'm not sure if this requires any of my code, as it's more of an abstract/general question.
But here is the redirect to the Azure AD login portal:
Response.Redirect(String.Format("https://login.windows.net/common/oauth2/authorize?{0}", queryString));
And here I fetch the code from the resulting URL after the user authenticates:
model.code = Request.Params.GetValues("code")[0];
Yes. AAD supports headless auth. Please see the example here: https://github.com/Azure-Samples/active-directory-dotnet-native-headless.

OAuth2 is not working for accounts other than admin accounts. What part of configuration am i missing?

I created a free domain account on www.mygbiz.com. I used this account to create client ID and secret and then followed the process of generating access tokens. The OAuth2 mechanism works perfectly fine for this admin account. However when i add users to this account and add the same users as team members on Admin console (under the team tab): https://code.google.com/apis/console/ , and then use those user accounts in my application, the OAuth2 fails for other accounts and gives the following error:
{"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}
E.g.
admin account: admin#XYZ.mygbiz.com
This account has been used to generate client ID and Secret. The code works fine for this account. But for the other users on the same domain:
user1: user1#XYZ.mygbiz.com
user2: user2#XYZ.mygbiz.com
The code does not work even after adding them as team members on the API console
Am i missing some part of configuration? Can someone please help here?

Resources