Short version: Can my application authenticate itself with OAuth 2.0 without using a service account?
Long version: The issue I'm having with service accounts is that they can't be granted the same permissions as the original account that created them. Specifically, my company doesn't grant external accounts write permissions for security reasons. A service account is technically an application specific account, outside of the domain of the account that created it, and has more restricted access than an end-user account.
Is it possible for an application to authenticate itself as a user account?
Service account is allowed to impersonate a user to get an access token.
See https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset Additional claims section.
https://code.google.com/p/google-apps-manager/wiki/GAM3OAuthServiceAccountSetup has description for how to configure it.
Related
The use case is quiet simple, I want to read and write to calendars on a daemon (backend workflow) from personal Microsoft account or azure AD account.
Then I registered an Enterprise application in Azure Active Directory admin center with:
the account type « Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) ».
permissions on read write on calendars + read on user
a generated client secret
a redirect uri
For all accounts from the same Azure Active Directory, the authentication with the client secret and the impersonation of the targeted email works well.
But for personal Microsoft accounts it is not. If I understood correctly I need to use the client credentials flow to grant the user. Then the user need to go on the admin consent url as explained: https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>&state=12345&redirect_uri=<redirect_uri>.
But when logging in with a personal account it results in a redirection to the specified redirect uri with the error:
AADSTS500200: User account '{EmailHidden}' is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization.
Try signing out and signing back in with an organizational account.
Research
I tried some solution of the error AADSTS500200 with this article: https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/active-directory/error-code-AADSTS50020-user-account-identity-provider-does-not-exist.md (note that the error number is missing a last zero). But I still receive the same error or an other error Needs admin approval when the personal account is invited.
Needs admin approval (french only)
Question
Is it possible to read data on personal Microsoft account ? How to achieve this ? Is there any other way ?
It is not possible to use Microsoft personal accounts with the client credentials flow.
The solution is to use the authorization-code flow and use the scope offline_access during the authorization request and the token request. So that the refresh_token that can be used to regenerate new refresh_tokens.
In our application we use EWS and basic authentication.
An user can get access to own mailbox only or to all mailboxes in his organization if he has admin credentials. Now we are trying to replace basic authentication with OAuth2 authentication.
We registered the application on Azure portal, added the permission "EWS.AccessAsUser.All".
For an admin account everything works well. Our application can get access to any mailbox in admin's organization.
The problem is in that we cannot get an authorization code for a standard user account.
"TestApp needs permission to access resources in your organization that only an admin can grant" is shown.
So the question is: is there a way to get access to user's mailbox using EWS, OAuth2 and user's credentials?
With oAuth you need to grant consent for your application in a Tenant eg
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent once you have granted tenant wide consent any user should be able to use the application unless you apply restrictions. If your application is being used by other companies then you need to have a Multi Tenant application registration and the client will need to consent to its use in their tenant before they can use it.
I have a web application that is leveraging Keycloak for IdM.
I am using the Resource Owner Password Credentials or Direct Grant flow for authentication which uses REST API calls to /auth/realms/{realm}/protocol/openid-connect/token instead of browser redirects to get the user a JWT.
I would like to implement a similar workflow for signing users up.
Looking at the Keycloak documentation it appears the Keycloak Admin API exposes an endpoint for this at /auth/admin/realms/{realm}/users.
To allow clients to interact with the Keycloak Admin API you have to create a client service account and associate it with a keycloak role with sufficient privilege to manage realm users.
The expected approach for this seems to be to apply the manage-users realm specific role to the client service account. This is more permissions than I would like to grant to the client.
Is there a way to grant a client service account just the ability to create new users and not the full set of permissions that comes with manage-users?
I can manage sharing access by user to his personal Office365 account via OAuth2. This article does not contain information how to revoke the access. I believe there is should be REST API to revoke shared access.
Can I have help or missed link to Office365 developers API where I could find correspond documentation please?
If you want to revoke access token issued by azure ad , currently , Azure AD doesn’t support revoking the token . However, we can clear the token cache if you doesn’t want users to user the token. You could also read document Configurable token lifetimes in Azure Active Directory to specify the lifetime of a token issued by Azure Active Directory (Azure AD) .
I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)