I try to request all Office Planner Plans and Tasks of all users via Microsoft Graph API. This is a Console Application and should run as Azure WebJob. I'm struggling with the Access Token.
With an user Token I receive 403 (Forbidden) on https://graph.microsoft.com/beta/users/{userid}/plans.
AuthenticationContext authenticationContext = new AuthenticationContext($"https://login.microsoftonline.com/{TenantName}", false);
var authTask = authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", _config.ClientIdUser, new UserPasswordCredential(_config.Username, _config.Password));
uthTask.Wait();
AuthenticationResult userAuthnResult = authTask.Result;
var token = userAuthnResult.AccessToken;
With an app only Access Token I can't request the Graph API. I read somewhere that I have to use an app+user token but how can I request such a Token?
You can only request an app+user token in the first place from an interactive application where the user can consent and provide their credentials in a Microsoft-owned user experience. As part of that OAUTH flow you can then request a refresh token which you can store securely and pass to your webjob to run the later task.
Related
Code snippets for Building OAuth 2.0 credentials :
Credential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setClientSecrets(myAppClientID, myAppSecret)
.build();
credential.setRefreshToken(userRefreshToken);
I am using Java Library in order to get the Google Analytics Data.
I do have Client ID, Secret and Refresh Token. I am accessing Google Analytics API though this credentials information,
My question is, Will Google OAuth 2.0 take care of Access Token Automatically? Or Do i need to handle it manually with some mechanism? If i am not passing access token to this code.
From the Credential API doc:
Thread-safe OAuth 2.0 helper for accessing protected resources using
an access token, as well as optionally refreshing the access token
when it expires using a refresh token.
So if you don't specify an access token, it will be automatically fetched using the refresh token. But since you already have an access token, I would say it's good to set it - it will save the first network call to the /token endpoint.
I am developing a python app where I'd like to access my AdWords account using the installed app flow, and would like to use the best practice mentioned in the Distributed Apps section on that page. My AdWords API usage boils down to:
Initiate an Oauth2 flow, and retrieve a refresh token and access token when a user logs in to my website, and gives me permission to access their AdWords account
Use the retrieved refresh token and access token to access some basic AdWords information from the user, and save these tokens for later usage
Retrieve the access token saved in step #2, to periodically make AdWords api calls on behalf of the user
If the access token has expired, use the refresh token saved in step #2 to mint a new access token.
Step #1 is easy, and well documented here:
flow = OAuth2WebServerFlow(client_id='your_client_id',
client_secret='your_client_secret',
scope='https://www.googleapis.com/auth/calendar',
redirect_uri='http://example.com/auth_return')
auth_uri = flow.step1_get_authorize_url()
credentials = flow.step2_exchange(code)
Step #2 is also well documented here:
oauth2_client = oauth2.GoogleRefreshTokenClient(
client_id, client_secret, refresh_token)
adwords_client = adwords.AdWordsClient(
developer_token, oauth2_client, user_agent,
client_customer_id=client_customer_id)
But I can't figure out how to authenticate using just the access token. The googleads.adwords.AdWordsClient class is essential here, because that's my way of interacting with the AdWords API. But I can't seem to figure out how to instantiate that class without a GoogleRefreshTokenClient object. And instantiating the GoogleRefreshTokenClient object requires a refresh token and not an access token. I don't want to instantiate an GoogleRefreshTokenClient object every time I need to make an AdWords API call, because that will force me to generate a new access token every time, making me violate Google Terms of Service.
I would like to access a user's one drive to upload a document or retrieve a document using Graph API.
I've seen multiple examples over the net which requires using the standard login page for the user to login. You need to get the authorization code from the login page and then use it to get a token, which finally can be used to access a resource like drive.
Am looking for a way to do this without going through the login page. I can have my own login page where I can request user to login.
In short, I want to access drive resource of Graph API using a REST client like Postman (right from authorization to accessing the resource). Is this possible?
Yes, it is possible if you have the right information - all you need to do is to get a delegated access token.
Explanation:
When dealing with access to resources, Microsoft Graph has two levels of access token requirements:
Most methods support Application only tokens, meaning once an OAuth app has consent it can access the resource whenever it wants.
But for some methods, it is not enough (they are too sensitive for an automated process) and require a Delegated token, meaning token which contains both a valid Client and User. You can see in each method documentation which token it requires.
Normally delegated access tokens are the result of the two major OAuth flows which require user interaction (Authorization Code Grant and Implicit Grant) but you can also get them from two other flows: Resource Owner Credentials Grant and On-Behalf-Of Grant, which are both supported by Microsoft.
For a full guide on how to setup everything you need in order to use those flows (including Postman examples) you can look at my article:
Getting Access Token for Microsoft Graph Using OAuth REST API
Yes this is possible. Essentially you grant access application access to Graph API instead of a user.
The documentation for such access is here:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
You'll still need to a request a bearer token to send with all your REST requests, but the bearer token will be for the application itself and not a user.
I set this up for one of my applications using the Graph SDK for .NET, so if you need specific examples for Graph SDK for .NET let me know.
Although this is possible, it's strongly recommended not to do this for individual user access. The Microsoft Graph only supports OAUTH 2.0 as its authZ protocol, and we recommend that you use the flows within OAUTH where the trusted authority be the one to directly handle login credentials. Allowing application code to provide the forms UI for login credentials would open up the attack vector where your app would have direct access to the user's O365 password, which is not a secure approach.
I've found the documentation is not helpful, especially in terms of trying to acces the Graph API in the application context. But, I managed to get the access token in the context of the application here:
private static async Task<string> AcquireToken()
{
var tenant = "yourtenant.onmicrosoft.com";
var resource = "https://graph.microsoft.com/";
var instance = "https://login.microsoftonline.com/";
var clientID = "YourappID";
var secret = "YourAppSecret";
var authority = $"{instance}{tenant}";
var authContext = new AuthenticationContext(authority);
var credentials = new ClientCredential(clientID, secret);
var authResult = await authContext.AcquireTokenAsync(resource, credentials);
return authResult.AccessToken;
}
Yes, It is possible to access onedrive shared folder with the help of shared url without userlogin.
first you need to get an access token, to hit any microsoft graph API you need access token. follow the link to get access token without user login access token
Encode shared url.
string sharingUrl = "https://onedrive.live.com/redir?resid=1231244193912!12&authKey=1201919!12921!1";
string base64Value = System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(sharingUrl));
string encodedUrl = "u!" + base64Value.TrimEnd('=').Replace('/','_').Replace('+','-');
Discovering an endpoint https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/direct-endpoint-differences?view=odsp-graph-online#discovering-an-endpoint
-for OneDrive personal accounts https://api.onedrive.com/v1.0/shares/{shareIdOrUrl}/driveItem?$expand=children
OneDrive for Business and SharePoint
https://graph.microsoft.com/v1.0/shares/{shareIdOrUrl}/driveItem?$expand=children
I am developing an app for salesforce. For authentication I am using the web server flow.
In salesforce OAuth implementation the session id is the same as access token. When I get the new access token (through refresh token method), what's the proper method to pass it to the client. Should I explicitly set the session ID to the new access token?
Assuming you included the web or full scopes when requesting the OAuth 2.0 access token then it can be used interchangeably with a Session Id.
You put the access token into a sid cookie are redirect to the correct instance/pod.
Better yet, you can use the frontdoor.jsp to setup the required cookies. See Using frontdoor.jsp to login to Salesforce UI and Communities
The client can handle this by having some logic for handling a request to the Salesforce API which fails with an Unauthorized response. When an Unauthorized response is received the client can ask your web server for a new access token / session id.
Alternatively you'd have to use WebSockets or some push technology to push the new access token to the client when the web server refreshes the token.
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.