Trying to post events to user calendars for our organization. Getting a 401 error.
Azure admins created an app/user, and gave permissions
Delegated Graph Permissions: Calendars.ReadWrite
App graph permissions: Calendars.ReadWrite
I can connect to the OAuth token generation end point, and retrieve a token. Using that token, I can't send my JSON payload and create a series of calendar events, I get a 401. The JSON is known good - I can copy/paste it into the graph explorer tool and get correct results.
I've examined a generated token using jwt.ms and I'm not seeing anything related to permissions, calendars, etc.
Our Azure logins use empIDnumber#example.com and I've been told that is what our userPrincipalName is
I've tried changing the URL end point with no change-
/v1.0/users/empIDnumber#example.com/calendar/events
and
/v1.0/users/empIDnumber#examplecom.onmicrosoft.com/calendar/events
Where should I look next?
Solved.
Slight typo in the content of the JSON I was sending, was only able to find it by doing the POST using postman. Java was throwing an exception, not showing the returned string as well as the exception message, but postman showed the returned JSON with content regarding malformed date/time.
Still got 401 exceptions though, so The Fix Part II was to add an Accept-Encoding property set to application/json to my http client request options array.
Still no claims showing up in my tokens, but that is a non-issue apparently.
Related
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.
we use the following HTTP GET request to get group's info:
https://graph.microsoft.com/v1.0/groups/{groupId}?$select=visibility,unseencount
Until today (18 Sep 2018) it worked, but today it stopped working. Now Postman returns 403 Forbidden: ErrorAccessDenied (message: Access is denied. Check credentials and try again).
When unseencount is removed from url data is returned successfully with the same bearer token:
https://graph.microsoft.com/v1.0/groups/{groupId}?$select=visibility
Also in our app which uses Sharepoint SPFx and HttpClient it currently returns 400 Bad request for the same url.
I am not seeing that. Have you tried this out in the Graph Explorer signed in as your user (eliminates some mistakes possibly you not seeing in Postman etc.)? http://aka.ms/ge
Is it consistent for all groups? What about ones that the user belongs to?
You will need Group.Read.All to access this property. Ensure that's coming back in your access token.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/group_get
I know same question has been asked many times but even after following each and every post as well trying various suggestions, I am still facing invalid_request error.
I am able to get code successfully from Google API and when I am trying to access accessToken , I am getting this error and HTTP code being sent from Google API is 400.
I have already tried and compared my data with oauthplayground and seems everything is same
Following data is being sent from my Application to Google API
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
Access Token URL
https://accounts.google.com/o/oauth2/token?
scope=openid+profile+email
&client_secret=***********
&grant_type=authorization_code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&code=4%2F8veoAnihzkao58oWvZaRShn5nhYg.0to7Or-lHPwRXE-sT2ZLcbTblHXFhgI
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
But When Application is trying to fetch data over the network, I am getting exception
SEVERE: Error while fetching access token for Google..
OAuthProblemException{error='invalid_request', description='null', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
I am using URLConnectionClient to establish network connection
Go through the OAuth flow using the OAuth playground https://developers.google.com/oauthplayground/.
Then compare what is being sent with your own.
Note that it needs to be an HTTP POST. The code you posted looks like a GET.
Also, your redirect URL looks a little odd. Is that exactly the same URL that you registered in the API console? This is isn't your current error, but will probably become your next one ;-)
It seems that you forgot to send 'state' parameter here (it is mandatory!):
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
In Java code you can generate it in a way like this:
String state = new BigInteger(130, new SecureRandom()).toString(32);
So you request should look like this:
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
&state= {insert_here_generated_state}
And also I don't know if it is necessary to send a 'scope' parameter in "Access Token URL".
Hello kind people of the internet,
We can successfully use the Google Oauth 2.0 Playground to make a simple sql POST insert to a FusionTable, but when attempt the same basic HTTPS POST operation in anything else (from back end system, another browser session, Postman chrome tool, hurl.it, etc, etc), we always get a 403 error:
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
I'm puzzled why the error is returned when doing an HTTPS post from other systems (other than OAuth playground)?...as at the time I'm supplying an active Access token (cut-n-pasted Access token from OAuth playground).
The successful-working-good Request block in OAuth 2.0 Playground is below (but the Access token is of course now expired):
POST /fusiontables/v1/query?sql=INSERT INTO 1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE (Name, Age) VALUES ('Forrest', 57) HTTP/1.1
Host: www.googleapis.com
Content-type: application/json
Authorization: Bearer ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Here's the direct URL that is generated by several different REST based tools I'm attempting to use to simulate the HTTPS request to do a POST sql insert to FusionTables (which again: always generates a 403 error even with an active Access token):
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Jim',%2057)=&Content-length:=0&Content-type:%20=application/json&Authorization:=%20Bearer%20ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Some other notes:
-In my Google APIs Console, I'm using the "Client ID for web applications".
-I updated the FusionTable properties with the Api console email-address to allow edit capability on the fusiont table used in the above sql (1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE) Adding the email for edit capability to the FusionTable properties was kindly suggested by Odi for Service accounts on another related post on FusionTables).
Any help in explaining why HTTPS Post works in the OAuth playground for a sql insert to FusionTables, but not anywhere else would surely be appreciated...there must be something I'm missing, as supposedly the OAuth playground was to help illuminate how OAuth works at a detailed level so we could handle in other systems that don't necessarily have a developed OAuth library.
Update 8/23, per the suggested answer...here's a URL syntax that works in POSTMAN and uses both the OAuth API key and an active Access token which was obtained using the OAuth playground (access token is of course fake/expired).
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Bob',%2031)=&Content-length:=0&Content-type:%20=application/json&key={OAuth API key}&access_token=ya29.AHES6ZST_c2CjdXeIyG8LwkprQMGGfoW45sonX0d1H51234
Try adding your API key to the POST. Even though the message refers to authentication I'm pretty sure it's not OAuth authentication but your API usage that needs to be verified.
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs