I have seen other posts that are very similar, but I don't find a real answer. Some say "it is coming", those are old.
I am authenticating with the Admin credentials to our O365 and trying to pull calendar information. The Scope has Calendars.ReadWrite (which falls under App-Only and Delegate as far as scopes), but it always returns a 403. ErrorAccessDenied, "Access is denied. Check credentials and try again"
The Graph doc for calendar views shows it can send in users/{id} in the request, and the id's came back when I listed all the users. Of course if I use mine, it works.
If there really is an App-Only scope vs a Delegate scope for this same scope name, how do you specify that?
Is there something I have to specify in O365 for my admin user so it has rights? I can delete or create any user with that account in O365, so it appears it should have what it needs.
Thanks
So, App-Only has a slightly different flow.
First, instead of authenticating the user at "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", you authenticate them at "https://login.microsoftonline.com/common/adminconsent".
Second, you pass in the same parameters minus "scope". Scope is determined by your Application Permissions defined in you application that you registered at apps.dev.microsoft.com.
Third, when you receive your callback you will not have a "code" to use to go and retrieve your Access and Refresh tokens. Instead, you will receive a "tenant" property and an "admin_consent" property. "admin_consent" will tell you whether you have the rights or not.
Fourth, when requesting your access token, you will not supply the "scope" or "code" parameters, but you will provide a "resource" parameter, with the value "https://graph.microsoft.com".
Lastly, the URL you contact to get the token will change from "https://login.microsoftonline.com/common/oauth2/v2.0/token" to "https://login.microsoftonline.com/{tenant}/oauth2/token", where {tenant} will be the value returned.
Please note that in the URL that "v2.0" is missing. That isn't a typo. If you do not remove that from the path you will get errors about an invalid or missing "scope" parameter.
Once it successfully returns your Access and Refresh token, the flow seems to follow normal delegated access.
Here are a couple of links that Microsoft gave me, with their guidance to help figure this out.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
(Big Thanks to Jeff at Microsoft)
Latest doc is here: https://learn.microsoft.com/en-us/graph/auth-v2-service
I followed it and I was able to read/write other's calendar with permission Calendars.ReadWrite.
Related
I'm having some issues with the List joinedTeams graph api endpoint.
I was expecting that me/joinedTeams would give the same result as users/my-user-id/joinedTeams, however the first one only returns one team and the second returns multiple (haven't checked if it's complete).
So the question is, did I find a bug in the Graph API or is there something else going on?
I'm using delegated permissions
I've checked the token at jwt.ms, the aud is 00000003-0000-0000-c000-000000000000 and it includes the following scopes:
Directory.Read.All
Group.Read.All
Member.Read.Hidden
Team.ReadBasic.All
User.Read
Update: It seems I can no longer reproduce the issue, so I'm concluding that there was some short issue with syncing between the Azure AD and the responding Graph API server.
My idea is the same as #Ergec, you need to make sure you are using the same user id.
I just tested these two APIs with graph-explorer and they did return the same result to me.
I suggest you first request the /me endpoint to get the id, then paste it to the /users endpoint, making sure they use the same id.
1.
2.
I want to use microsoft graph API in my application without user. For I got access token by tenant id (a8ef7dd1-217d-430f-9ba0-4dd465b9098d) using this url
https://login.microsoftonline.com/a8ef7dd1-217d-430f-9ba0-4dd465b9098d/oauth2/v2.0/token
I see correct result after this request.
Afte that I try to get user using this url
https://graph.microsoft.com/v1.0/users
It also works fine for me.
Example response: {"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"IOTA CLM","givenName":"IOTA","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"CLM","userPrincipalName":"clm-iota_outlook.com#EXT##clmiotaoutlook.onmicrosoft.com","id":"50ecbaed-9cee-411f-abb6-5e53e2a1051a"}]}
But if I try to get mailFolders using next get request
https://graph.microsoft.com/v1.0/users/50ecbaed-9cee-411f-abb6-5e53e2a1051a/mailFolders
I see 404 error :
"code": "ResourceNotFound",
"message": "Resource could not be discovered."
What I missed?
Are you sure that that user has a mailbox?
Make sure you have the correct permissions? To access mail, you require Mail.Read application permissions that have been admin consented. https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0
You can admin consent where you've registered the application in the portal in the "Permissions" tab of the application. https://aad.portal.azure.com
I've had the same error.
You probably didn't assign a license while adding users at https://admin.microsoft.com
If you go to the Microsoft site, you will find that you need to license Exchange Online to use the Exchange Online feature.
https://learn.microsoft.com/en-us/exchange/exchange-online
Check it out!
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.
I am trying to get fetch user's profile using Google OAuth2 api. After user authentication, on the consent page, I am always asked for "Have Offline Access"
The URL in browser looks like :-
https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/google_oauth2_login&state=YbzrDo&client_id=asdfasdf-60qhnqf6asdfasdfasdfcopo3plhoj.apps.googleusercontent.com&hl=en-US&from_login=1&as=604c0f3asdfasdf
As visible in the URL above, I have passed scope parameter as 'email'
Google Auth API page says:-
"This scope requests that your app be given access to:
the user's Google account email address. You access the email address
by calling people.get, which returns the emails array (or by calling
people.getOpenIdConnect, which returns the email property in
OIDC-compliant format). the name of the Google Apps domain, if any,
that the user belongs to. The domain name is returned as the domain
property from people.get (or hd property from getOpenIdConnect). This
email scope is equivalent to and replaces the
https://www.googleapis.com/auth/userinfo.email scope."
Why I am asked for Offline Access every time?
I had the same problem, and after googling for a long while, I found this link:
"This app would like to: Have offline access" when access_type=online
it suggests to remove 'localhost' in the redirect_uri, and it works for me.
Because you are redirecting back to http(s)://localhost:/. This makes sense because any app that requests redirection to localhost is obviously running locally.
Redirect it to a public web address and it will not bother you.
if you are using node js module 'everyauth' , you can override the googles default value by
.authQueryParam({ access_type:'online', approval_prompt:'auto' })
There are two parameters which can cause this prompt:
access_type (if it is 'offline', get refresh token)
approval_prompt (if it is 'force')
A reference about this can be found here.
Try to change the approval_prompt parameter to 'auto' or add it to your request and check the access_type parameter to 'online' or add it to your request.
Looks like you have registered your client as a "Native Application" instead of a "Web Application". Native apps get a refresh token by default which is a long lived token, for which the Resource Owner gets a notification and a consent screen because of its inherent security implications. Change your client type to "Web Application" assuming that's what it is...
The scenario is I want to post some details on a facebook page created by me from my other app. So want to know how can we give access to app through access token means how can we get the access token for this?
Thank You
Regards
Yes, take a look at the following URL and the "Page Access Tokens" section for information on how to do obtain a token.
API - Obtain Page Token
Note, however, that there is a known issue when trying to use the links api point, if you intend to define your own link in the post.
Bug report
You'll probably want to use the feed API point instead. I've not actually managed to get this working yet though, and I'm awaiting feedback from FB themselves. I'll update you if/when I hear something useful back.
Good luck.
You can get the access_token for you page by enabling the manage_pages permission, and then calling the API endpoint: /me/accounts to get the access_token for all the pages you manage.
You can then use this access token to post to your page using the Graph API call: /{page_id}/feed