Microsoft Graph API error "Required scp claim values are not provided" - microsoft-graph-api

Given I'm logged in with MSSSO account;
And the Read the organization's roster permission is set;
When I call /education/me/classes endpoint;
Then I get the 403 response with the code AccessDenied and the message Required scp claim values are not provided.
What does the error mean? How do I fix it?
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/22d54f2b-1771-400c-8839-1b661d1d5270/",
"iat": 1517909669,
"nbf": 1517909669,
"exp": 1517913569,
"acr": "1",
"aio": "Y2NgYLj3Um+jDePa8FgXu/w7Jkl3lHo0ZbNPdx498+y09QQTG3UA",
"amr": [
"pwd"
],
"app_displayname": "My company ",
"appid": "5a993391-9e90-45e8-9823-e6ba00f810f3",
"appidacr": "1",
"family_name": "user",
"given_name": "user",
"ipaddr": "91.244.25.19",
"name": "user",
"oid": "bb0571c2-e60d-4425-8c37-5cd7fabe5083",
"platf": "5",
"puid": "10033FFF9E13F0A0",
"scp": "Contacts.Read Directory.AccessAsUser.All Directory.Read.All email Files.Read Files.Read.All Group.Read.All Mail.Read.Shared Mail.Send offline_access openid People.Read profile User.Read User.Read.All User.ReadBasic.All",
"sub": "rq0gSA1ps5tiFGaN1n84WZEeqqBU5pKhv-cMJQRwpSw",
"tid": "22d54f2b-1771-400c-8839-1b661d1d5270",
"unique_name": "user#company.com",
"upn": "user#company.com",
"uti": "ARRvKJOO6UutMlcwAPgYAA",
"ver": "1.0"
}

Related

When getting a team using v1.0 API, beta resources are also being returned

I send a GET for a team at least one resource the resources is in beta. The resource teamDiscoverySettings shouldn't be returned when the request is made to v1.0 API
I sent a GET https://graph.microsoft.com/v1.0/teams/{{teamID}} and the server responds with:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#teams/$entity",
"id": "...",
"displayName": "...",
"description": "...",
"internalId": "...",
"webUrl": "...",
"isArchived": false,
"discoverySettings": {
"showInTeamsSearchAndSuggestions": false
},
"memberSettings": {
"allowCreateUpdateChannels": true,
"allowDeleteChannels": true,
"allowAddRemoveApps": true,
Shouldn't the beta resources only be returned withing the beta version of the APIs?

Loopback Error 401 (Unauthorized) while accessing APIs

I am facing an issue in loopback, 401 (Unauthorized). Initially all APIs are working perfectly.
Now I set ACL for some of the models. After that I got an error 401 (Unauthorized) while accessing APIs
Sample Code
Eg: One of my model.json file
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
I got the accesstoken after login. I think the access token is not getting in in my API headers.
you can also define ACS level. you DENY for all unauthorized user but also set permission for authorized user like.
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "ALLOW"
}
]
principalId is define in my ROLE collection if you did't define any princepalId you can also use this.
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}

Microsoft Graph API keeps returning 401 Unauthorized

Please do not report as duplicate because all other topics have not solved my issue, thanks.
I'm using Microsoft Graph API to list and create calendar events, however, I can't seem to make the findMeetingTimes endpoint work.
This is my authorization URL:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
?client_id=xxxxx
&response_type=code
&redirect_uri=xxxxx
&response_mode=form_post
&scope=openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite
&state=12345
Then I request an access token using the same scopes:
$request = json_decode($guzzle->post('https://login.microsoftonline.com/common/oauth2/v2.0/token', [
'headers' => ['Content-Type' => 'application/x-www-form-urlencoded'],
'form_params' => [
'client_id' => 'xxxxx',
'scope' => 'openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite',
'code' => $auth_code,
'grant_type' => 'authorization_code',
'redirect_uri' => 'xxxxx',
'client_secret' => 'xxxxx'
],
])->getBody()->getContents());
After that I'm trying the findMeetingTimes endpoint using:
$request = json_decode($guzzle->post('https://graph.microsoft.com/v1.0/me/findMeetingTimes', [
'headers' => [
'Authorization' => 'Bearer ' . $accessToken,
'Content-Type' => 'application/json',
],
'body' => '{
"attendees": [
{
"type": "required",
"emailAddress": {
"name": "My Name",
"address": "myemail#hotmail.com"
}
}
],
"timeConstraint": {
"activityDomain":"work",
"timeslots": [
{
"start": {
"dateTime": "2019-04-02T09:00:00",
"timeZone": "Pacific Standard Time"
},
"end": {
"dateTime": "2019-04-03T17:00:00",
"timeZone": "Pacific Standard Time"
}
}
]
}
}',
])->getBody()->getContents());
However, it keeps returning:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Does anyone know what I'm missing? Note that I'm not using a Microsoft work/school account, just my regular one. (Does it matter?)
Its not possible to call this endpoint with personal accounts, this is metioned very cleary in the documentation

Rails google analytics insufficientPermissions

I use gem 'omniauth-google-oauth2' and want get infromation from google analytics, my omniauth file have:
provider :google_oauth2, ENV['google_key'], ENV['google_secret'], {scope: 'https://www.googleapis.com/auth/analytics, https://www.googleapis.com/auth/analytics', access_type: 'offline', select_account: true}
but I have error:
{"errors"=>[{"domain"=>"global", "reason"=>"insufficientPermissions", "message"=>"Insufficient Permission"}], "code"=>403, "message"=>"Insufficient Permission"}: { "error": { "errors": [ { "domain": "global", "reason": "insufficientPermissions", "message": "Insufficient Permission" } ], "code": 403, "message": "Insufficient Permission" } }
I enabled google analytics in developer console. Who can help me?

Creating a new user from Twitter using auth0 get nil email

I am using auth0 for my rails application,I tried to sign in with social connection using auth0, this works fine with google and facebook but when I tried with twitter I am getting blank email for user and not able to sign in with the user having blank email.
Here is the response which I am getting
{
"name": "XXXX",
"picture": "XXXX",
"lang": "en",
"screen_name": "XXXX",
"clientID": "XXXXXX",
"user_id": "XXXXX",
"nickname": "XXXX",
"identities": [
{
"access_token": "XXXX",
"access_token_secret": "XXXX",
"provider": "twitter",
"user_id": XXXX,
"connection": "twitter",
"isSocial": true
}
],
"created_at": "2015-04-07T06:00:51.515Z"
}
How do I get user email for twitter using auth0
Not possible. Twitter API doesn't give email address of the user.
Is there a way to get an user's email ID after verifying his/her Twitter identity using OAuth?

Resources