The secrets.example.js file at the following location has ACCESS_TOKEN property. Where to get it from?
https://github.com/microsoftgraph/msgraph-sdk-javascript/blob/dev/samples/browser/secrets.example.js
You'll need to obtain an access token by first, registering an application, specifying the scopes you need and then, obtaining consent from a user or tenant admin. We recommend using an authentication library like MSAL (Microsoft Authentication Library).
If you're just prototyping, you can grab an access token from Graph explorer to run the sample.
Here is some additional information about auth tokens and Graph
Related
I am using Microsoft Graph API and Microsoft Dataverse Web API in a single applications. Due to this, I have to get 2 different access tokens for each by addding different value of resource key. Is it possible to generate a single token that can be used for both ?
This might also be achieved through RefreshToken to get an AccessToken to the individual endpoints with the same scopes as authorized when you requested the graph access (scopes).
E.g. If you requested Mail.Read (https://graph.microsoft.com/mail.read) you can get back to the token issuing endpoint with the refresh_token with scope="https://outlook.office.com/mail.read" and get an accesss_token for this endpoint.
you can use the On-Behalf-Of Grant to exchange the token with a new one, only this time addressed for the resource you need. Please refer this Document.
Currently I have this setup:
At login, and in every subsequent request after login, a mobile application that I have built uses Basic Authentication to authenticate the user with a web service that serves the app with information it requests.
On every request the Authorization header is inspected, the password and username are extracted from the header, the password is hashed using a proprietary DLL (so the web service doesn't actually contain the hashing algorithm) and compared to the hashed password associated with the username that is stored in the database.
I have now been asked to include Azure AD SSO in the login options.
After reading much about the topic, this looks seems to me like the setup:
I'm curious about a few things:
Is this setup correct, more or less?
Does the app send the Identity Token to the web service? If so, how does the webservice validate that token?
Is it correct that the webservice can match the Azure Identity to the DB user using one of the claims in the Security Token?
Where do Access Token fit in this picture?
Thanks for the help!
(Side Note: I know that Basic Authentication is not the preferred way to go in the first scenario. This was a temporary decision till we developed the token handling code, it only works using HTTPS and this is an internal application - you wouldn't be able to activate the app unless you have a code we give you)
I have little experience in azure ad but I think we could talk about your case.
First, whatever id token and access token are both jwt token, so to your web service application, you need to use jwt decode library to decrypt the token and get claims it contains. Here we need to know the difference between id token and access token, and I think you'll know that for your web service application, if it's more likely to play the role of an api application, you need to use access token because this token also contains user information. Then you need to add code in your program to decode the token and check if it's a 'valid' token for the request.(Because you've used azure ad to achieve the login part, you don't need to use your custom login part.)
Next, the signing in feature provided by azure ad requires to use account and password in the tenant which azure ad belongs to, the user accounts may look like xx#xx.onmicrosoft.com, it doesn't required to keep sycn with the accounts in your database, so it's difficult and needless for you to compare the user name obtained from the decoded token with those in your database. Because when your web service received the token(id or access token), that means someone has passed the authentication from azure ad. The token contains user information including role, expired time etc. You need to check if the token has expired and if has the correct scope. (Let's see a common situation, microsoft provides many graph apis to call, when accessing these api, we need to provide access token in request head with matching scope, e.g. https://graph.microsoft.com/v1.0/me
requires a delegated api permission of User.Read)
To sum up here, if your web service just required the users in your database to sign in then can be access, id token and access token are both suitable for you because they both contains user name like 'xx#xx.onmicrosoft.com', what you need to do is decode the token and check if the token has expired and whether this user exists in your database(you may set up a mapping between them).
I am trying to get an access token to upload large files as described in the docs.
I am using client credentials grant flow to get access token per the documentation. I got an access token using that flow.
I tried to use that access token with this URI:
/v1.0/users/{userId}/drive/items/{itemId}/createUploadSession
but it gives me an error that "AccessDenied Either scp or roles claim need to be present in the token"
I have granted admin permission for the app. I have tried this flow in both postman and in coding but both give the same error.
Well as Marc pointed out Sites.ReadWrite.All was the only permission i needed, it was just that permission had not been accepted by admin.so the roles were not visible in my access token.Now i am able to call graph api using that access token.
I have created a new asp.net core 2 web application. I'm using individual user accounts and added my Microsoft account for external authentication. All of this works like expected.
Now I want to use Microsoft Graph to read my .live profile and eventually read my mailbox and things like that.
I created an authentication provider and I'm able to get an access token back but why I try to use the access token, I'm getting an Authorization_IdentityNotFound error although my clientId and secret is correctly entered.
I think it's caused by the fact that I'm not using the proper parameters to request the access token. I think I'm missing the authorization response code that is normally returned when I sign into my .live account.
Does anyone know how to retrieve that response code or has a working example in asp.net core2. The only sample I can find is in .net core 1.1 and things have changed rather drastically since then.
You're confusing a few different systems here.
In order to access Microsoft Graph API you'll need to pass an Access Token in the authorization header of your call. This is used to both provide Microsoft Graph with your identification as well where you're data is stored (you're tenant).
The actual Access Token isn't issued by Microsoft Graph, it is issued by your tenant. For work/school accounts this is the Azure Active Directory tenant where your account lives. For personal account this is the Outlook.com tenant.
Prior to receiving an Access Token, you first retrieve an Authorization Code. This is returned to the redirect_url you passed to login.microsoftonline.com after you've entered your credentials. Your app then takes this Authorization Code and exchanges it for an Access Token that you'll use to call Microsoft Graph.
If you're looking for a authentication library to handle this process, you should use MSAL.NET. You can find instructions for using this library in the microsoft-authentication-library-for-dotnet repository on GitHub.
Once you have a token, you can either call Microsoft Graph directly or you can leverage the Microsoft Graph Client Library for .NET.
I need to generate or make url-link with inline token, that i can send to user email for only once login.
I found how get access_token for user for redirect to my endpoint (How do I obtain an OAuth token from WSO2 using the Consumer Key/Secret?), but I don't understand what to do next. I found how validate token, refresh it, but nothing about logon by token.
I need something like https://my_wso2is/auth_token?token=37133621-f099-33c4-b686-c017ed229fc0
You can use OIDC in order to get the user authenticated and then allow access to your application. You can find more information from [1] about how WSO2 IS works with OIDC using one of the sample applications named playground.
[1] https://docs.wso2.com/display/IS500/OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground