Have an application that uses the Graph API to access calendar data for users using outlook.com and office365. Integration has been live for months and working properly, but recently we've started receiving 400 "Error authenticating with resource" responses when attempting to fetch the users calendars (/me/calendars). Access tokens are not expired and our app requests the correct scopes during signup (User.Read Calendars.ReadWrite offline_access). Would appreciate any help on getting this resolved.
Related
I am planning to integrate Azure Authentication in my Drupal 7 site. I got the Token endpoint URL, Client ID, Client secret from Azure Support team for my site URL. When i tried to connect getting below error "Access token requested for user XXXXX: FAILURE"
Thanks in advance
Girija
This error can occur for a few reasons:
The client application is not registered in the Azure AD or is not added to the user's Azure AD tenant. Ensure that you have registered the application in the correct tenant and ensure that the client id, client secret, and tenant ID in your application registration match what you have in your web.config or app settings.
The error usually can also mean you got an incorrect access token for the resource. Are you using Graph API? I have seen this error before when someone tried to get the access token for Azure AD Graph API but used that access token to access Microsoft Graph API. The same could be going on with your drupal site.
Can you please post the full error message here?
I have an application which is using OneDrive through Microsoft Graph API, I created an App and users will consent through the oauth2 flow (that's working).
Now, after that, I have a refreshToken that I can use to get more accessToken (that's also working).
The problem comes when the user revokes the access of my App from their OneDrive account, the refreshToken is still valid and my code still has access to OneDrive user's data.
Is there a way to know that my app was revoked for this specific user through the Microsoft Graph API?
Just for anyone in the future, Microsoft Graph API do invalidate the refreshToken. For some unknown reason it was taking more than 10 minutes for making the invalidation.
After multiple times of testing this I saw that sometimes it might take 1 minute to invalidate, 5 minutes or even 10.
Because it might help someone I'm going to put the exact errors that I got when this case happened so people can handle it gracefully:
{"error": "invalid_grant", "error_codes": [65001], "error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'your_app_id_here' named 'your_app_name_here'. Send an interactive authorization request for this user and resource."}
I have an app that supports saml based sso and oauth based access to cloud storage providers such as google drive, dropbox, and microsoft onedrive. I have an account setup that uses OneLogin as an identity provider, and my app and onedrive acting as service providers. the app requires users to authenticate with their cloud storage provider, so I redirect the user from the app to onedrive during this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and agree to grant the app certain permissions and send back a code. I use this code to ping onedrive's /token route to exchange it for an access_token and a refresh_token. however we are not receiving the refresh_token, thus requiring the user to frequently have to reauthenticate with onedrive.
does anyone have any insight as to why we are not receiving a refresh_token? I have reached out to onelogin and microsoft as well (no progress/response yet).
I have toyed around with settings in MS azure and onelogin but haven't solved the issue yet.
other details:
in microsoft azure, users are federated using ws-federation
so far, this issue only occurs with users who are using onedrive and an sso provider
i am using the v1 onedrive api
the auth response includes the access_token and other properties, just not the refresh_token
here is a link detailing the oauth flow for onedrive, indicating that i can expect a refresh_token from the https://login.microsoftonline.com/common/oauth2/token route: https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth (in fact this refresh_token is necessary to finish the flow)
here is another SO post that seems to be having a similar issue, but with godaddy: Refresh token not returned for Office365 accounts purchased through GoDaddy (i have tried messing with the StsRefreshTokensValidFrom attribute but to no avail)
to be clear, the flow is:
from app, attempt to oauth auth with onedrive
get redirected to onelogin
login to onelogin
get redirected to onedrive
grant permission for 3rd party app access
get redirected back to app with access code
exchange code for oauth tokens
fail to receive refresh_token
thanks!
To get a refresh_token, you need to set up the Refresh Token (timeout) field in the Token Timeout Settings of the SSO tab in the Application configured in your OneLogin Administration portal.
I am developing a console app in .net which will send mail using the Azure AD application. I followed all the step from generating the certificates to registered an application in Azure AD. Then provided the application permission (Send mail as any user) using Microsoft graph API and provided it “grant permission” as an admin consent.
In my console app code I uses the below outlook api to send mail as
resourseurl — https://outlook.office.com/api/v1.0/users/{my email account}/sendmail. After providing grant permission to my app I am still facing the 401:unauthorized error.
You gave permissions to Microsoft Graph API, so you need to use it.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_sendmail
The URL that you need to use is thus:
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/sendMail
Internally the graph API does call the API you mentioned. But your token is for the graph. Not the outlook API.
You also mentioned the resource URL. The graph API resource URL is https://graph.microsoft.com.
We have an iOS app that uses Google oAuth to ask a users permission for Google calendar using embedded browser. User logs in via the app and grants permission to their calendar(s), the oAuth authorization's refresh token and calendar id's are stored in an encrypted database.
Using this refresh token and calendar id's - their calendar items would then be displayed on a separate web application (without having to request for clients credentials again). This worked great until Google authorization requests in embedded browsers were blocked on April 20 this year. Until this time we used a single oAuth client id and used the client id & secret in both the iOS and the Web app. However, after April 20th, we had to create a separate iOS client key. The issue now is that although within the iOS app we are able to ask for users calendar permissions using this code:
OIDAuthorizationRequest *request = [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
clientId:GoogleCustomKey
scopes:#[OIDScopeOpenID,
OIDScopeProfile, OIDScopeEmail, #"https://www.googleapis.com/auth/calendar",
#"https://www.googleapis.com/auth/calendar.readonly",
#"https://www.googleapis.com/auth/tasks",
#"https://www.googleapis.com/auth/tasks.readonly"]
redirectURL:[NSURL URLWithString:GoogleRedirectUri]
responseType:OIDResponseTypeCode
additionalParameters:nil];
However now we are no longer able to display the users calendars using the refresh token on the web application. Within the web application, we get "Unauthorized access" error when we debug the web application code. But according to Google's documentation cross client authorization is permitted https://developers.google.com/identity/protocols/CrossClientAuth.
We are not sure what we are missing? Thanks.