Is it possible to get a list of scopes from an access token?
e.g.
$token = 'ab12..'
$scopes = tokenToScopes($token)
// --> $scopes = ['address', 'subscriptions',...]
That can depend upon the access token. If its a Jwt you can just decode it you can test it by using using jwt.io. A lot of auth servers also have a tokeninfo endpoint which will give you information on your token. This will depend upon the auth server you are using.
{
"nbf": 1514888070,
"exp": 1514891670,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"testapi"
],
"client_id": "testclient",
"sub": "21248582",
"auth_time": 1514882023,
"idp": "Google",
"supporter": "21248582",
"name": "Xxxxx",
"application_id": "14055160",
"scope": [
"openid",
"profile",
"email",
"testapi"
],
"amr": [
"external"
]
}
Related
I'm trying to get all Graph API permissions list by an API call or by downloading either XML or JSON file.
I tried to check call made from Azure portal when list is loaded but nothing.
Does someone know how we can get this info from Microsoft?
Api permissions can be listed by using following query in microsoft graph api.Microsoft graph explorer
Directory.Read.All permission is required to be granted admin consent authenticate a Microsoft Graph API client to access the /v1.0/oauth2PermissionGrants endpoint.
Then make a GET request to
https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Result: Represents delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users.
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$skiptoken=xxxx",
"value": [
{
"clientId": "xxx",
"consentType": "Principal",
"id": "YBLh22Q2xxxxxxZPqphjW",
"principalId": "xxxx",
"resourceId": "xxxxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxx",
"consentType": "Principal",
"id": "xxxx",
"principalId": "xxxx6efe7a",
"resourceId": "xxxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxx",
"consentType": "Principal",
"id": "YBLh2xxxxxmX",
"principalId": "xxxxxxx",
"resourceId": "xxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxxx",
"consentType": "Principal",
"id": "YBLh22Q2xxxxxxN2iXWD",
"principalId": "xxxxx",
"resourceId": "xxxx",
"scope": "UserProfile.Read"
},
{
"clientId": "xxxxx",
"consentType": "Principal",
"id": "YBLh22Q2xExxxxbjbxXaqHKDW",
"principalId": "xxxx",
"resourceId": "xxxxx",
"scope": "UserProfile.Read"
},
{
"clientId": "xxxxxxx",
"consentType": "Principal",
"id": "xxxxxxxx",
"principalId": "xxx",
"resourceId": "bbf1c2f4xxxxxxxx",
"scope": "user_impersonation "
},
{
"clientId": "xxxx-60ae65bca24f",
"consentType": "Principal",
"id": "xxxx_AXxTLAO2AAHbv56",
"principalId": "941ea60dxxxxxx-d800076efe7a",
"resourceId": "bbf1c2f4xxxxx",
"scope": "user_impersonation "
},
{
"clientId": "xxxx9-60ae65bca24f",
"consentType": "Principal",
"id": "xxx",
"principalId": "xxx",
"resourceId": "bbf1c2f4-xxxxx",
"scope": "user_impersonation"
},
{
"clientId": "dbe11260-3664-40c4-ae39-60ae65bca24f",
"consentType": "Principal",
"id": "xxxx",
"principalId": "d1de0f56-d471-4580-b8db-c576aa1ca0d6",
"resourceId": "bbf1c2f4-52df-4d28-8dea-e8de231ed902",
"scope": "user_impersonation"
}
Reference: List oAuth2PermissionGrants (delegated permission grants) - Microsoft Graph v1.0 | Microsoft Learn
thanks for answers but it's not exactly what i was seeking about.
In fact, i want to get list we can find here Graph api permissions
but throught an automatic way (Api, Json or Xml file and not by parsing an Html page :). Idealy with extra info if existing to let my users filter them easily
AFAIK there is no list by an api call or by downloading XML or JSon file available right now, if you want this API , you can raise a feature request here.
Check the documentation of all permissions and ids. You can easily copy and paste the table.
Other option is to use /servicePrincipals endpoint and filter Microsoft Graph app. It will return list of application and delegated permissions including description and other details.
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId+eq+'00000003-0000-0000-c000-000000000000'&$select=appRoles,oauth2PermissionScopes
Result
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(appRoles,oauth2PermissionScopes)",
"value": [
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read all available Teams Templates, without a signed-user.",
"displayName": "Read all available Teams Templates",
"id": "6323133e-1f6e-46d4-9372-ac33a0870636",
"isEnabled": true,
"origin": "Application",
"value": "TeamTemplates.Read.All"
},
...
],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allows the app to read the available Teams templates, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read available Teams templates",
"id": "cd87405c-5792-4f15-92f7-debc0db6d1d6",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Read available Teams templates, on your behalf.",
"userConsentDisplayName": "Read available Teams templates",
"value": "TeamTemplates.Read"
},
...
]
}
]
}
appRoles property represents application permissions
oauth2PermissionScopes property represents delegated permissions
The endpoint requires Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions
I've compared data returned by the query above with the list in the documentation and it matches.
I am planning to implement google sign in on my website, now the current information i can get from the following endpoint:-
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=
Is
{
"iss": "accounts.google.com",
"azp": "313174994260-fba5atonf6j2bei2.apps.googleusercontent.com",
"aud": "313174994260-fba5atonf6j2bei2.apps.googleusercontent.com",
"sub": "116071052965",
"email": "email#gmail.com",
"email_verified": "true",
"at_hash": "abhO2Chk4tDEd",
"name": "Joe Doe",
"picture": "https://lh3.googleusercontent.com/-5_-NHC44/AA/ju8H1MKQF8vMu541xDO8Q/s96-c/photo.jpg",
"given_name": "Joe",
"family_name": "Doe",
"locale": "en-GB",
"iat": "1612148807",
"exp": "1612152407",
"jti": "f338940edea1998fc4b2606c1fd9c43333941a63",
"alg": "RS256",
"kid": "03b2d22c2fecf873ed19e5b8cf704afb7e2ed4be",
"typ": "JWT"
}
How can i get the user country ?
When setting the permission / access link in OneDrive, there is quite a few options:
But when accessing the file permission using Microsoft Graph API
https://graph.microsoft.com/v1.0/users/{user_id}/drive/items/{item_id}/permissions
I do not get the set expiration date, set password or block download:
the response looks like this:
{
"id": "permission_id",
"roles": [
"write"
],
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "webUrl"
}
}
How can I get all the data? Should I use a different API?
Seems like beta version of Graph API supports this:
https://graph.microsoft.com/beta/users/{user_id}/drive/items/{item_id}/permissions/{permission_id}
will give the following response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#users('user_id')/drive/items('item_id')/permissions/$entity",
"expirationDateTime": "2020-04-26T21:00:00Z",
"hasPassword": true,
"id": "permission_id",
"roles": [
"read"
],
"link": {
"preventsDownload": true,
"scope": "anonymous",
"type": "view",
"webUrl": "webUrl"
}
}
The setup is as follows:
SPA web app that connects to a backend API. It's supposed to log in the user, request an access_token to the API and use it on all requests. Call it the Application.
Backend API that is supposed to receive access_tokens and authorise users based on the groups claim contained in it. Call it the API.
Configuration on the side of Azure AD:
The Application has redirect uris configured and is given an API permission to the API (the API.User scope).
The Backend exposes the API.User scope and authorises The Application as an Authorized client app.
Now, to get the groups claim I've added it to token configuration in both apps. Since it didn't work, I went and added some more optional claims to see if any of them are returned. They're not. The relevant parts of the manifest look like this:
"groupMembershipClaims": "All",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "nickname",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
]
}
Both app registrations are configured the same (with respect to the above values).
The frontend code retrieving the token:
msalInstance = new Msal.UserAgentApplication(
{
auth: {
clientId: <the Application's client id>
}
}
);
this.msalInstance.handleRedirectCallback((error, response) => {
console.warn("In handleRedirectCallback");
console.warn(JSON.stringify(error));
console.warn(JSON.stringify(response));
});
if (this.msalInstance.getAccount()) {
const request = {
scopes: ['api://<the API client id>/API.User']
}
this.msalInstance.acquireTokenSilent(request)
.then(response => {
console.warn("In acquireTokenSilent then");
console.warn(JSON.stringify(response));
})
.catch(err => {
if (err.name === 'InteractionRequiredAuthError') {
return this.msalInstance.acquireTokenRedirect(request);
}
});
}
else {
const request = {
scopes: ['user.read', 'email', 'openid', 'profile']
};
this.msalInstance.loginRedirect(request);
}
I am clearly doing something wrong, as all access_tokens and id_tokens have the same layout completely independent of any changes I make to the app registrations or the request.scopes. I see that the MSAL request has a claimsRequest field, but it's undocumented and I don't know what should be put there. The MSDN docs make it sound as if all I needed to do was configure the app registration and the claims would be appended to the retrieved tokens, but it's clearly not the case.
Is there something else I have to configure to get the groups claim?
EDIT:
Example id_token layout that I'm getting:
{
"aud": "api://<the Application client id>",
"iss": "https://login.microsoftonline.com/<the Tenant id>/",
"iat": 1585052362,
"nbf": 1585052362,
"exp": 1585056262,
"aio": <Azure AD opaque string>,
"given_name": "<My first name>",
"hasgroups": "true",
"name": "<My account name>",
"nonce": <some guid>,
"oid": "<my account OID>",
"preferred_username": "<my email>",
"sub": <...>,
"tid": "<the tenant id>",
"uti": <Azure AD opaque string>,
"ver": "2.0"
}
example access_token I'm getting:
{
"aud": "api://<the Application client id>",
"iss": "https://sts.windows.net/<the Tenant id>/",
"iat": 1585052365,
"nbf": 1585052365,
"exp": 1585056265,
"acr": "1",
"aio": <Azure AD opaque string>,
"appid": "<the Application client id>",
"appidacr": "0",
"family_name": <my last name>,
"given_name": <my first name>,
"hasgroups": "true",
"ipaddr": <my ip addr>,
"name": <my account name>,
"oid": <my account oid>,
"onprem_sid": <not sure what this is, but some identifier>,
"scp": "API.User",
"sub": <...>,
"tid": <the tenant ID>,
"unique_name": <my email>,
"upn": <my email>,
"uti": <Azure AD opaque string>,
"ver": "1.0"
}
Since you commented that you are getting the hasgroups claim, it means the groups were not included in the token for most likely, size restrictions.
The claim is documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens.
Relevant quote from there:
If present, always true, denoting the user is in at least one group. Used in place of the groups claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups)
So 5 is the maximum in implicit flow.
The 200 maximum is for e.g. authorization code flow.
I have recently used Google Calendar API.
I have Created Project and Generated Credential.
For localhost i used following Credential :
{
"installed": {
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"project_id": "xxxxxx-00000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "xxxxxxxxxxxx",
"redirect_uris": [ "urn:ietf:wg:oauth:2.0:oob", "http://localhost" ]
}}
It was asking for Oauth and working fine as well.
But when i wanted to make request from web server i changed credential and it was :
{
"web": {
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"project_id": "xxxxxxxx-99999",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "xxxxxxxxxxxxxxxxxxxxxxx",
"redirect_uris": [ "http://demo.mydemo.com" ],
"javascript_origins": [ "http://demo.mydemo.com" ]
}}
But neither it is redirecting for Oauth (Authentication) nor asking for permission, and not even throwing any error/exception.