Ran into a roadblock when trying to implement people search (using names or whatever else) from an app-only authenticated bot. Is there a way for the bot to query the graph without it having an identity? I can do this:
GET "https://microsoft.graph.com/beta/users/" + userPrincipalName + "#hooli.com"
But I can't do this:
GET "https://microsoft.graph.com/beta/me/people/?$search=" + "\"" + query + "\""
It makes sense, the bot isn't a user object. I just wanted to see if you had any suggestions for this scenario. (The idea is for this bot to be published to SharePoint, and eventually to SfB when that becomes a real option.)
Very cool that you are connecting to Microsoft Graph with a bot scenario! Couple of things here. Firstly the /me construct requires that a user is signed in, as /me is an alias for the currently signed-in user. App-only will not work with this request, as you have discovered. You've also discovered that you can do a more rudimentary search only through the users entity. You can do something a bit smarter here by using a startswith search together with an "or" conjunctive clause (see below). However $search is not currently supported for the users entity.
GET https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'xxx') or startswith(mail, 'xxx') or startswith(userPrincipalName, 'xxx')
Secondly the people entity is a search that is done from the point of view of the signed-in user. It can't currently be done by app-only (people is only supported under me). Will need to get others to provide some info on whether a generic people search will be supported through this API. Also people is still in preview.
Please let us know if the suggested workaround (using startswith) is adequate for now, and can be replaced later once there is a more powerful $search support.
One other thing - if the user is interacting with the bot (say through a web site or a mobile client) - could the user be signed in already, and the bot use the on behalf of flow to call into MS Graph from your bot as the user?
Hope this helps,
Related
I am using the Survey Monkey api to get the url's of surveys I have created which allows me to display surveys from within my application. To do this I have to send my key and authorization with the request.
What concerns me is that Survey Monkey has an api 'create_flow' that allows surveys to be created. Using fiddler I can see my requests including the key and authorization token. As far as I can see, this means that anyone could use this information to access the api and create a new survey on my account, which I do not want.
Is there any way to stop someone from creating new surveys using the API and the auth token? I'm not really bothered about people getting access to the survey details or Uri's as all they can do is post junk survey results that only I will see, but I absolutely don't want anyone else to be able to create a survey that will be presented to all my users with potential malicious text.
It is not possible to make an account read-only.
So if I'm understanding correctly, you're shipping an application which contains your api_key and access token?
This is very much not recommended - the access token is equivalent to your account password, it gives full access to your account.
If you want a way to dynamically list your surveys, the best way to do it is create a proxy web app / API you host yourself. When someone hits that address, it uses the access token / api key you've stored on your box and grabs the list of surveys and then returns it to your app. This is the only safe way to do this.
Using MVC4, I would like to get the recent Tweets (3) of user's without having to request access from them, because that is a pain for the user. This is also because a user may be viewing another user and I would also like to display their Tweets.
This was fairly simple with Twitter API v1:
$.ajax({
url: 'https://api.twitter.com/1/statuses/user_timeline.json?count=3&screen_name=' + twitterUser,
...
});
..but its deprecated and will stop working in about two months from now.
I'm new to Oauth and have struggled to find any good material on how to get a user's Tweets, but I believe the process is a lot more complicated now with the Twitter API v1.1? Ideally, I'd like to achieve everthing in the front end, but think that I now need to do some authentication server side and will have to use MVC?
In order to get any user's Tweets, I was thinking that I could create a Twitter account for my application and use that to get anyone's Tweets, as long as they are not protected.
Does anyone know of any good libraries that I can use to achieve this, or is the out of the box MVC4 Oauth stuff alone enough to do the job?
Any suggestions of where to start, and especially examples would be greatly appreciated.
To use API 1.1, you have to have a Twitter account and a Twitter application and then use OAUTH to authenticate your rate limited requests using GET statuses/show/:id. The only alternative I know is RSS which both Twitter & Facebook have kiiled, briught back and threatened to kill again:
http://api.twitter.com/1/statuses/user_timeline.rss?screen_name={USERNAME}
I decided to use Linq2Twitter, as this makes use of the V1.1 API.
An MVCDemo example of Linq2Twitter stores the authorised credentials in a SessionStateCredentials object, but I can store the object in cache and persist the authorisation for all users, meaning they won't have to authorise anything. Provided that a user's Tweets aren't protected, the Tweet's for any user should be retrievable this way.
I've gotten a good number of OAuth logins working on my site now. My implementation is based on the WebSecurity classes with amends to the code to suit my needs (I pulled the WebSecurity source into mine).
However I'm now facing a new set of problems. In my application I have opted to make the user email address the login identifier of choice. It's naturally unique and suits this use case.
However, the OAuth "standards" strikes again.
Some providers will return your email address as "username" (Google) some will return the display name (Facebook). As it stands I see two options given my particular scenario:
Option 1
Pull even more framework source code into my solution until I can chase down where the OpenIdRelyingParty class is actually interacted with (via the DotNetOpenAuth.AspNet facade) and make addition information requests from the OpenID Providers.
Option 2
When a user first logs in using an OpenID provider I can display a kind of "complete registration" form that requests missing info based on the provider selected.*
Option 2 is the most immediate and probably the quickest to implement but also includes some code smells through having to do something different based on the provider selected.
Option 1 will take longer but will ultimately make things more future proof. I will need to perform richer interactions down the line so this also has an edge in that regard.
The more I get into the code it does seem that the WebSecurity class itself is actually very limiting as it hides lots of useful DotNetOpenAuth functionality in the name of making integration easier.
Andrew (the author of DNOA) has said that the Attribute Exchange stuff happens in the OpenIdRelyingParty class but I cannot see from the DotNetOpenAuth.AspNet source code where this class is used so I'm unsure of what source would need to be pulled into my code in order to enable the functionality I need.
Has anyone completely something similar?
AttributeExchange only applies to the OpenID Providers (Google and Yahoo!) and you can see the extension used in their respective source files.
I recommend against using email address as the username. Email addresses can be recycled (an account can expire or be closed/canceled and the email address can be reassigned to a new user). If this happens, your site based on email addresses would "give away" all the data of the old user to the new user. Massive privacy violation and lawsuit potentially happening there. Far better to use the Claimed Identifier for the OpenID cases, or the service provider-specific user id number in the OAuth cases, as the primary identifier in your user table. Certainly you may capture and display the email address everywhere on the web site where you would display a username so as far as the user knows that's the username -- it's just that internally you use something more precise than that.
I want to use Facebook as an authentication source for my application (a website) users. I do not want my application to have anything but basic and email permissions. Thus, my application must not be able to publish to a user's wall for example. In other words, I want to restrict the allowable set of values for the scope parameter and I want this restriction to occur on the application's configuration pages (on the Facebook site itself).
Normally this would be easy, just specify 'email' for the scope parameter of the OAuth URL/call.
However in this case there is another factor and this is: a hacker may gain access to the app and change the OAuth call to specify more permissions. Then an unsuspecting user will typically (or at least possibly) grant those permissions and the hacker will be able to grab the OAuth token and perform actions on behalf of that user.
I'm not interested in discussing the whys of this issue, just in finding of there is a way to specify that my application can only use a specific set of values for the scope parameter. Ideally this specification of the scope restriction be done in the application configuration page on Facebook itself.
However, I am interested in alternate solutions that involve using SAML, OpenID or some other authentication only mechanism (even if I cannot get the users email address). I'm not interested in using RPX.
Please note: this is a complex question not a simple one. I have searched far and wide for an answer and have just found what amounts to the opposite of this question.
I'm pretty sure it's not possible to restrict the scope at application configuration level.
I'd say the tidiest workaround would be to query the permissions of a user on signup, check that they match the allowed permissions, and subscribe to the (permissions realtime updates)[http://developers.facebook.com/docs/reference/api/realtime/]. Your app will be notified of any changes in permissions granted to users.
This should allow you to block any server side API calls through application logic, or (ban)[https://developers.facebook.com/docs/reference/api/application/#banned] a user which escalates permissions.
I am trying to implement two pieces of functionality to my ASP.NET MVC 3 applications.
I would like the ability for the user to use Twitter to authenticate on my web site. I would also like to be able to store the users name and email in my database upon successful login.
I would like to post to the users twitter feed once a certain event occurs.
Are there any open source libraries that can handle both tasks out there?
Thanks
To enable logging in with Twitter credentials on your site, use the Sign in with Twitter flow. If the user is already authenticated, it's a one click operation. The doc I linked has a flowchart and description of the process, and this answer has a bit more detail.
Once your user has signed in via Twitter, you can easily get the user's screen_name, however there is no facility to obtain the user's email from Twitter.
On the Twitter framework front, I recommend Twitterizer. I like the consistency and ease-of-use of the framework, and coverage of- and parity with- the Twitter APIs. I've personally used it on multiple implementations, and have had no issues that tied back directly to the library.
In order to use Sign in with Twitter, you'll need to use the BuildAuthorizationUri(string requestToken, bool authenticate) method overload of the OAuthUtility class, passing true as the second parameter.
Also, Ricky Smith (the Twitterizer lead dev) is active on SO, and anything tagged with twitterizer seems to get pretty prompt attention (meaning I can't answer them faster than Ricky can. ;)
Finally, posting a status to a user's timeline is pretty trivial with Twitterizer once the OAuth tokens have been obtained (simplified example from the Twitterizer site follows):
var tokens = new OAuthTokens();
tokens.AccessToken = "XXX";
tokens.AccessTokenSecret = "XXX";
tokens.ConsumerKey = "XXX";
tokens.ConsumerSecret = "XXX";
TwitterResponse<TwitterStatus> tweetResponse = TwitterStatus.Update(tokens, "Hello, #Twitterizer");
I would think that either of the following would be able to handle both your tasks:
TweetSharp
RestSharp
Also consider...
Twitterizer
or
TwitterVB