I want to login Sharepoint Online with Claim Based Authentication(Office 365 Authentication) from ios application.
I used the SOAP Method as the following.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>$username</o:Username>
<o:Password>$password</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>$endpoint</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
At Endpoint Address,will need to set sharepoint root site URL.
The problem is that when the login user cannot authenticate to root site
but can authenticate to site collection only, this user cannot login to
office 365.
How can I work around for this?
If the other way to login method with Office 365 authentication(claim based authentication),
please advice me.
You may want to checkout the iOS SDK for the Office 365 APIs. Here is a link to a sample application on GitHub that shows how to authenticate to Office 365 and get the access token. Once you have a valid token, you can make a REST call to SharePoint Online passing the token in Authorization Bearer header.
https://github.com/OfficeDev/Office-365-SDK-for-iOS
Related
I need to create an organizational feed to host nuget packages shared among projects on our Azure DevOps environment.
After several unsuccesful attempts and research, I discovered that the only way to create an organizational feed is, by design from Microsoft mouth, the Azure DevOps API.
Source for the claim : This question on VS dev community
and The MS docs on project-scoped feeds
Basically, I just need to be able to perform a POST here :
https://feeds.dev.azure.com/{organization}/_apis/packaging/feeds?api-version=5.1-preview.1
with the body :
{
"name": "{myfeedname}",
"hideDeletedPackageVersions": true,
"upstreamEnabled": true
}
And of course, a Bearer token to authenticate myself. That's the point where I'm confused.
What is the simplest way to obtain one ? I'm logged in through my company Microsoft AD account on my computer browser on Azure DevOps. I don't see any Bearer token that I can "steal" to use in PostMan in my browser dev tools.
The API docs described some relevant info, but I'm confused on how to use it in Postman :
Security oauth2
Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes Name Description
vso.packaging_write Grants the ability to
create and read feeds and packages.
Here is the interface in Postman for OAuth2:
Ican see how the info in the docs relates to the fields 1 - 2 - 3 - 4, but then, what callback url should I use ? What credentials ? my Microsoft email + password from AD ?
I tried this, and all I seem to get is this from Postman :
{"$id":"1","innerException":null,"message":"A potentially dangerous Request.Path value was detected from the client (&).","typeName":"System.Web.HttpException, System.Web","typeKey":"HttpException","errorCode":0,"eventId":0}
TLDR
How do I properly proceed to get a token with Postman, or other tool to manually execute my one-time request to Azure DevOps REST API ?
notes :
Following info here : Unable to get Authorization code for Devops using Postman oAuth2.0
, leading here : https://github.com/Microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample , I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
Yes, you are right. You have to register whole web application.
As the interface in Postman for OAuth2, we need provide the CallbackUrl, ClientID, ClientSecret and so on. Then, we check the document Requesting an OAuth 2.0 token, we could to know the Callback URL is:
The client application callback URL redirected to after auth, and that
should be registered with the API provider.
So, we have to register an OAuth client app in Azure DevOps (https://app.vsaex.visualstudio.com/app/register), then we could get the following information, like:
You could check the document Authorize access to VSTS REST APIs with OAuth 2.0 for some more details.
AFAIK, there is currently no simpler way to get a bearer token to send requests to the Azure DevOps API.
Hope this helps.
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.
I'm using the Microsoft Office 365 REST API to read calendar items from Office 365 and Outlook.com accounts.
It work's well.
Now, I need to read the same from Office 365 Deutschland accounts. That doesn't work.
I already found out the following:
Use another endpoint for login
International: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Deutschland: https://login.microsoftonline.de/common/oauth2/authorize
Use another endpoint for the REST API
International: https://outlook.office.com/api/v2.0/me/calendar/events
Deutschland: https://outlook.office.de/api/v2.0/me/calendar/events
Need another ClientID/ClientSecret
International: https://apps.dev.microsoft.com
Deutschland: https://portal.microsoftazure.de
Use different oauth2 scope
International: offline_access https://outlook.office.com/Calendars.Read
Deutschland: offline_access openid https://outlook.office.de/Calendars.Read
With all that, I can get an OAuth2 access token. But when I call
https://outlook.office.de/api/v2.0/me
or
https://outlook.office.de/api/v2.0/me/calendarview?startDateTime=2018-01-01T01:00:00&endDateTime=2018-10-31T23:00:00
with that token, I only get the following error:
Request Headers:
cache-control:"no-cache"
postman-token:"b765d2d1-9ffc-4016-8216-38678af4f245"
authorization:"Bearer AQA*** snip for security***gAA"
user-agent:"PostmanRuntime/7.1.5"
accept:"*/*"
host:"outlook.office.de"
cookie:"ClientId=DFDA316304974E36A43D11CF7BB6D8A3; OIDC=1; OpenIdConnect.nonce.v3.y7kDkk7dHuGjDZ9PZ_xiLj0CjfuLbQt629j5MuTcNp8=636667242602536754.c00ff4a6-e523-4dff-b1ce-24d1d024ce67"
accept-encoding:"gzip, deflate"
Response Headers:
server:"Microsoft-IIS/10.0"
request-id:"e59f5e5e-0980-4914-9087-064270bdd233"
x-calculatedfetarget:"LEJPR01CU002.internal.outlook.com"
x-backendhttpstatus:
0:"401"
1:"401"
x-feproxyinfo:"LEJPR01CA0057.DEUPRD01.PROD.OUTLOOK.DE"
x-calculatedbetarget:"FRXPR01MB0456.DEUPRD01.PROD.OUTLOOK.DE"
x-rum-validated:"1"
x-ms-diagnostics:"2000010;reason="ErrorCode: 'PP_E_RPS_INVALIDCONFIG'. Message: 'Invalid configuration. Check event log for actions.%0d%0a Internal error: Config directory does not exist; config directory must exist and be an absolute path:C:\Program Files\Microsoft Passport RPS\LiveIdConfig.'";error_category="invalid_msa_ticket""
x-besku:"Gen8"
x-diaginfo:"FRXPR01MB0456"
x-beserver:"FRXPR01MB0456"
x-feserver:
0:"LEJPR01CA0057"
1:"FRAPR01CA0084"
x-powered-by:"ASP.NET"
www-authenticate:"Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0003-0000-c000-000000000000#*,00000002-0000-0ff1-ce00-100000000002#84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.microsoftonline.de/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm="",Basic Realm="""
date:"Mon, 09 Jul 2018 09:46:28 GMT"
content-length:"0"
Response Body:
What am I doing wrong?
What does PP_E_RPS_INVALIDCONFIG mean?
Where can I create the directory C:\Program Files\Microsoft Passport RPS\LiveIdConfig?
The problem was the token. It was visually fine, but inside it was not.
With Office 365 Deutschland, you have to use the Azure Active Directory authentication endpoint V1.0 (no version number in the endpoint url means V1.0). For International, you should use the V2.0 endpoint.
The V2 enpoint wants the resource hint in the scope: https://outlook.office.com/Calendars.Read.
The V1 endpoint ignores the scope (and the resource hint in it) and wants an additional OAuth2 uri parameter called resource. The errors did't pointed me in the right direction.
But it was documented (badly) at this point.
resource
recommended
The App ID URI of the target web API (secured resource).
To find the App ID URI, in the Azure Portal, click Azure Active Directory,
click Application registrations, open the application's Settings page, then click Properties.
It may also be an external resource like https://graph.microsoft.com.
This is required in one of either the authorization or token requests.
To ensure fewer authentication prompts place it in the authorization request to ensure
consent is received from the user.
I think it should say required with V1.0.
Here my working authorization endpoint call:
https://login.microsoftonline.de/common/oauth2/authorize?response_type=code&client_id=c9000000-0000-0000-0000-000000000007&redirect_uri=http://localhost:11184/&state=1P3S9RvgQyfd3xLXmbhPcYD12aNHYkBF&scope=offline_access%20Calendars.Read&resource=https://outlook.office.de
By the way: If you use the resource parameter with the V2.0 endpoint, it gives you the error:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=6262047e-0000-0000-0000-000000000007&redirect_uri=http://localhost:11184/&state=2pSIj7o7dJJ0bGIv0p1ZfRjK6DV2duwM&scope=offline_access%20https://outlook.office.com/Calendars.Read&resource=https://outlook.office.com
AADSTS90100: The 'resource' request parameter is not supported.
Cut my life into pieces, this is my last resort.
Seriously, I can't find this info anywhere! I thought Graph supported Outlook.com. I saw this question which referenced the Outlook Api vs the Graph Api, but how do I authorize an Outlook.com account for this?
I'm sending the user to https://login.microsoftonline.com/common/oauth2/authorize with the parameters:
response_type = code
client_id = <my client id>
redirect_uri = <my redirect_uri>
state = <csrf>
resource = https://outlook.office.com/
to sign in. It takes them to the Office 365 sign in, and when you type #outlook.com, it tries to redirect you, only to go back to the 365 login page and do it all over.
I can authorize Office 365 just fine, but not Outlook.com. I can provide more info if needed, I just figure I'm hitting the wrong endpoint or something.
Currently we have two versions of the authentication endpoint. The version less endpoint (https://login.microsoftonline.com/common/oauth2/authorize) only supports work and school accounts (Office365) the v2.0 auth endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/authorize) supports both work and school and personal accounts.
To use a personal account (hotmail.com, outlook.com, live.com) with Microsoft Graph, you start by registering you app in apps.dev.microsoft.com, then follow the instructions in this article:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-scopes/. Try that and let me know how it goes.
I am trying to authorize my app using the dropbox oauth 2.0 but getting Cross origin issue. I made a GET request to https://www.dropbox.com/1/oauth2/authorize
with response_type: 'code' and client_id but keep getting the cross origin issue.
When using this "https://www.dropbox.com/1/oauth2/authorizeclient_id=CLIENT_ID&response_type=code" directly in the browser, I am redirected to the dropbox authorization page as expected.
Am I missing anything in my code?
The /authorize page (https://www.dropbox.com/1/oauth2/authorize...) is only a web page that users should be interacting with in their browser. It isn't an API endpoint so you shouldn't be attempting to call it programmatically.
If you're implementing the OAuth 2 app authorization flow, this blog post may be useful:
https://blogs.dropbox.com/developers/2013/07/using-oauth-2-0-with-the-core-api/