I have recently implemented Microsoft OAuth2 to retrieve data from the Graph API (and more). Now I wan't to integrate with some of the social functions in the Yammer API but I can't find any info whether this is possible.
It seems unnecessary for me to have to force the user to auth against two different OAuth endpoints when judging from Yammer Embed, the Microsoft SSO is enough to authenticate in (Microsoft-owned!) Yammer as well.
Maybe I'm just not understanding OAuth enough, but it does mean that I will have to authenticate first against MS OAuth2, then to Yammer OAuth2.
EDIT: Just after I posted this, I found the "Yammer impersonation" page which I missed earlier: https://developer.yammer.com/docs/impersonation
It is very short on details, is this a viable way to avoid the user actively having to sign in to Yammer?
We have a paid Microsoft service including most applications, btw.
Further EDIT: I mainly want to use the API to get some statistics on nr of likes on a post etc., not really any personal info at this point.
If you register your app with AzureAD you can require scopes for the Graph API and the Yammer API at the same time. There will be then only one OAuth flow and one consent screen.
Related
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
Im having a bit of trouble figuring out how to get an OAuth access token for a Yahoo user who has created an account with Google or Facebook Sign-in. I've followed the OAuth flow described in the documentation, however this seems to only apply to users who have created a Yahoo account directly.
Has anyone else had trouble getting an access token for a user who has used Google or Facebook to sign into Yahoo?
I've looked at the OAuth + OpenID flow but I'm having trouble at the point where I should perform discovery. How would one receive an request_token for yahoo with a user who signs in via a Google OpenID?
Anyone else experienced this issue?
The only way I can see this happening is if Yahoo at some point allows Facebook and Google authentication in the OAuth authorization step. That would at least be the simplest way forward for an API consumer application.
The OAuth + OpenID flow will not help you I am afraid, it only works for Yahoo OpenIDs. I guess it could at least theoretically work for Google OpenIDs (if Yahoo implemented that), but Facebook is not even an OpenID provider.
I think Yahoo's stance on this is sound. They provide API access to users that they themselves have provisioned. I don't think you will find many API providers out there who will have a different strategy.
I would like to use OpenID to unify logins across projects that my group is working on. One of the projects may need to be an OAuth provider in the future so that users can sync data with other sites as well. Is it possible to setup an OAuth Provider that uses OpenID for authentication?
Yes.
Not sure which version of OAuth your are talking about here. But basically it would entail making the OAuth authorization step into an OpenID process which when successfully completed, resumes the OAuth process.
NB: OAuth is primarily for authorization of third party applications, OpenID is for user authentication. There is nothing impossible about mashing up the two, they are in essence dealing with different problem domains.
Basic Authentication(OpenID) or OAuth both require your permission, but there is an important difference. With Basic Authentication, you provide your username and password for the app to access application, and the application has to store and send this information over the Internet each time you use the app. OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials).
It doesn’t mean to say we cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.
Here is an example(OpenID+OAuth Hybrid protocol) lets aware you, how to use hybrid protocol.
Twitter, Facebook are working on now OAuth only while
Google, Yahoo work on OpenID as well as OAuth.
The oAuth protocol comes in two flavors, 3-legged and 2-legged protocols. The 3-legged one is about delegating user access rights to an application and is the one that gets the most attention on the web. The 2-legged version is used to authenticate an application against a service provider (Twitter in my case) with no specific user involved.
In my application I need read only access to publicly available information, but at higher rate than the one available to unauthenticated request. There is no need for me to authenticate as a specific Twitter user.
Does Twitter support the 2-legged version of oAuth?
Boaz
PS. The whitelisting alternative is an overkill for me and I rather not wait for the approval process.
You can get an access token for a single user following these instructions: http://dev.twitter.com/pages/oauth_single_token