Graph Web application authentication single sign on - microsoft-graph-api

I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/

Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.

Related

Restrict Microsoft Graph Service Account / Client Credentials

I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?

Microsoft Graph API auhetication for service apps

We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)

Single sign-on flow using ASP.NET MVC + Active Directory

I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?

Transparent LiveConnect OAuth 2.0 authentication possible?

I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.

Is it possible to allow only some users to access to Google Big Query API?

I have created a project with Google Big Query.
I have one table with data. A service performs insert every hour in the table. The service uses a service account with a p12 file to authenticate without user interaction.
I have developped also a desktop application which authenticate via the browser (OAuth2Authenticator). It works well but eveyone who have a google account can login and accept to use my application, and I don't want that !
Is it possible to specify a list of authorized google accounts for a google big query project ?
Thanks,
Luc.
Yes, you can control who has access to your BigQuery datasets, as well as who is a member of the Google Developer Project that your BigQuery datasets are attached to.
If you are creating a Desktop application, the best way to provide authorization to BigQuery for specific users of a restricted dataset is to use an "installed application" Oauth2 flow. Are you currently using this flow?

Resources