I'm trying to access a shared mailbox in Exchange using IMAP but I don't want to store the password in the app so I give a try to NTLM authentication.
I was able to do the autentication using the SSPI framework api but now I'm struggling to select the shared inbox.
Using the "basic" authentication I know I could do:
a LOGIN domain/username/mailboxalias username_password //a OK LOGIN completed.
b select inbox //...\r\nb OK [READ-WRITE] SELECT completed."
And that do work fine, but I don't wan't to to store the password in my app, so I'm using NTLM auth (connecting to exchangeserver1.domain.com where the mailboxalias is stored):
a AUTHENTICATE NTLM // +
<type_1_msg> // + <type_2_msg>
<type_3_msg> // a OK [REFERRAL imap://;AUTH=*#exchangeServer2.domain.com/] AUTHENTICATE completed.
b select inbox // b NO [REFERRAL imap://;AUTH=*#exchangeServer2.domain.com/inbox] There is no replica for that mailbox on this server."
c select mailboxalias //c NO There is no replica for that mailbox on this server.
d select mailboxalias/inbox //d NO There is no replica for that mailbox on this server.
e select inbox/mailboxalias //e NO There is no replica for that mailbox on this server.
The current context user mailbox is stored in exchangeserver2 but the shared mailbox is in exchangeserver1, that's why in NTLM you see the REFERRAL piece, but in both scenarios above I'm connecting to exchangeserver1.
I tried several variations of select command with the 'mailbox alias' and 'inbox' but none worked. I do have access to the mailbox, I'm its owners and I can access it from Outlook (but I believe it uses MAPI) and 'basic authentication'.
After the authentication, How can I select the shared mailbox inbox?
I'm using the following AcquireCredentialsHandle call to generate the NTLM type 1 message:
AcquireCredentialsHandle (null, "NTLM", 2, 0, 0, 0, 0, ref phCredential, ref ptsExpiry)
I even tried changing the first parameter (which would be the username) from null (the current context user) to "domain/username/mailbox" but it didn't work.
Thanks :)
Related
I am integrating a Smart on FHIR app that will be launched from within an EHR. When the user clicks a button to launch the app, we set a GUID and the current Patient ID to a database record on our FHIR server. The assumption being that given the 'Launch' scope, the OAuth server will call the appropriate API to retrieve the Patient ID given that the GUID is included in the url params.
The call to auth looks like this:
_clientID = {the unique client ID registered to our auth server}
_redirectURL = {redirect back to auth for eventual token request}
launch={the GUID value generated at start of the session and paired with the Patient ID}
_scopes = "launch patient/*.* openid profile"
state = {some opaque value}
aud = {the base URL for our FHIR server}
string url = $"{authorizeURL}?response_type=code&client_id={_clientID}&" +
$"redirect_uri={_redirectURL}&" +
$"launch={launch}&" +
$"scope={HttpUtility.UrlEncode(_scopes)}&" +
$"state={state}&" +
$"aud=https://xxx-smart.xxxxxxxxx.com";
All of this works and I end up with a json response that includes the id_token, access_token, expires_in, token_type('Bearer'). But, no 'patient'.
My assumption was that the OAuth server would call the scope 'launch/patient' on our FHIR server but no such call is being made. In fact, I created a few endpoints just for the purpose of logging and NONE of them are being called.
Here is an example of one of my FHIR Server test/log endpoints (I created few with 1 to 4 parameters):
[AllowAnonymous]
[HttpGet("{functionName}/{id}")]
public string GetPatientData3(string functionName, string id)
{
TelemetryClient telemetry = new();
telemetry.TrackEvent($"FHIR SVR GetPatientData3 {functionName} {id}");
string configJson = "0009998888";
return configJson;
}
How do I set this 'patient' context properly?
How does the OAuth server retrieve this context so I can have that patient ID appear in the json response from the ~/token call?
Further Notes:
The contents of the openid-configuration:
{"token_endpoint":
"https://aadproxy.azurewebsites.net/xxx/oauth2/v2.0/token",
"token_endpoint_auth_methods_supported":
["client_secret_post","private_key_jwt","client_secret_basic"],
"jwks_uri":
"https://login.microsoftonline.com/xxx/discovery/v2.0/keys",
"response_modes_supported": ["query","fragment","form_post"],
"subject_types_supported": ["pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"response_types_supported":["code","id_token","code
id_token","id_token token"],
"scopes_supported":["openid","profile","email","offline_access"],
"issuer": "https://login.microsoftonline.com/xxx/v2.0",
"request_uri_parameter_supported":false,
"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo",
"authorization_endpoint":
"https://aadproxy.azurewebsites.net/xxx/oauth2/v2.0/authorize",
"device_authorization_endpoint":
"https://login.microsoftonline.com/xxx/oauth2/v2.0/devicecode",
"http_logout_supported":true,
"frontchannel_logout_supported":true,
"end_session_endpoint":
"https://login.microsoftonline.com/xxx/oauth2/v2.0/logout",
"claims_supported":
["sub","iss","cloud_instance_name","cloud_instance_host_name",
"cloud_graph_host_name","msgraph_host","aud","exp","iat",
"auth_time","acr","nonce","preferred_username",
"name","tid","ver","at_hash","c_hash","email"],
"kerberos_endpoint":
"https://login.microsoftonline.com/xxx/kerberos",
"tenant_region_scope":"NA",
"cloud_instance_name":"microsoftonline.com",
"cloud_graph_host_name":"graph.windows.net",
"msgraph_host":"graph.microsoft.com",
"rbac_url":"https://pas.windows.net"}
So, I notice that the 'patient/.' and the 'launch' scope among a whole host of others that I have are not supported according to my openid config. The only supported ones are "openid","profile","email", "offline_access".
In Azure AD, 'App Registration' > 'Expose an API' I have a list of at least 15 scopes entered there. In 'API' permissions they are all listed there as well.
One other thing to note, AzureAD does not handle scopes with a forward slash. So, launch/patient has to be entered as launch-patient. We also had to implement a proxy server to capture the ~/oauth2/v2.0/authorize request and modify the scope parameter entries to reflect this before passing on the request to the actual server.
I guess the pertinent question now is: How do the scopes that I have entered manually get supported?
I'm trying to access Azure Table Storage using the TableClient class, but I want to authenticate using AzureAD credentials via the browser popup.
I have tried 2 approaches and are sure I have things configured correctly in Azure, but I just keep getting
This request is not authorized to perform this operation using this
permission.
Here is test code 1 using MSAL
let app = PublicClientApplicationBuilder.Create("---registered app ID---")
.WithAuthority(AzureCloudInstance.AzurePublic, "---tennant id----" )
.WithDefaultRedirectUri()
.Build()
let! ar = app.AcquireTokenInteractive(["https://storage.azure.com/user_impersonation"]).ExecuteAsync()
let tokenCredential = { new TokenCredential() with
member x.GetTokenAsync(_,_) = task {return AccessToken(ar.AccessToken, ar.ExpiresOn)} |> ValueTask<AccessToken>
member x.GetToken(_,_) = AccessToken(ar.AccessToken, ar.ExpiresOn)}
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", tokenCredential)
and test 2 using Azure.Identity
let io = new InteractiveBrowserCredentialOptions(ClientId = "---registered app ID---", RedirectUri = Uri("https://login.microsoftonline.com/common/oauth2/nativeclient"))
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", new InteractiveBrowserCredential(io))
I have the app registered in Azure & I have added api permissions for Azure Storage, with Admin consent. My account is a Service Administrator for the tennant so I have full access to the storage account. I have scoured all the docs but just cant see what I'm missing.
To access table data using your Azure AD credentials, your user account should be assigned either Storage Table Data Contributor or Storage Table Data Reader role.
Please assign one of these roles to your user account and re-acquire the token. You should not get the error you are getting then.
How can I make the queue manager (which exists by default in the docker image) accept any connection without authentication?
I went through all the options in the web console (:9443/ibmmq/console/) and tried anything that I thought might have the effect I wanted, but couldn't find it.
TIA & BR,
Christian
Edit: here's the code I'm using to connect
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "JmsPutGet (JMS)");
//cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
//cf.setStringProperty(WMQConstants.USERID, APP_USER);
//cf.setStringProperty(WMQConstants.PASSWORD, APP_PASSWORD);
// Create JMS objects
context = cf.createContext();
----------edit------------
Error log after
removing "connection authentication" for the QM
setting the channel auth. record (under extended) to "As Queue Manager"
AMQ9557E: Queue Manager User ID initialization failed for '[my OS user]'.
EXPLANATION:
The call to initialize the User ID '[my OS user]' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
If you are trying to disable the MQ Connection Authentication feature so that userid & passwords are not authenticated then you can do this by executing the following MQSC commands in runmqsc against the Queue Manager.
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY(*) TYPE(CONAUTH)
Alternatively in the MQ web Console:
Select your queue manager in the Queue Manager widget
Click properties
Go to the Extended section and scroll down
Set the "Connection Authentication" attribute to a blank value
Click save adn then close
Select your queue manager in the Queue Manager widgit
Click the ... and select Refresh security from the drop down
"Select connection authentication"
Add widget: "Channel authentication records"
In this widget, select the entry for your channel, click properties under "Extended" set client connections to "As Queue Manager"
If required:
Select your QM in the "Queue Manager" widget, open properties (...), "refresh security...", "Connection authentication".
Make sure the default user name (in the standard docker installation, that's "app") is set in the channel properties under MCA (as sugg. by #JoshMc)
Run following mqsc commands to disable channel authentication in IBM MQ server:
ALTER QMGR CHLAUTH(DISABLED)
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)
We use IdentityServer3 (IdSvr3) for authorization/authentication. We want to offer the ability for our end user (or resource owner: RO) to log in (log through) to a second trusted website (site B) without login in to site B also, after they have already logged in to an initial website (site A). Site B administers a different set of resources for the RO. It is important that the RO is not redirected to the IdSvr3 login/consent screen. A possible approach I found so far is: inside site A an access token is created by calling RequestResourceOwnerPasswordAsync (passing username and password plus scope = "openid ..."). This access token is send to site B with which the RO can be authenticated. Site B retrieves the user info by calling the connect/userinfo endpoint. I want to know if this is a correct approach/flow. We assume that the RO will always enter site A first, not site B.
Thanks in advance for taking your time to think with me about this.
what you can do here is to send a authorize request to identity server for Site B Scope and request id_token or reference token. Make sure while sending the authorize request to idsrv you are using prompt=none, this way you will get the access_token without showing a consent to the user again if the user is already logged-in to site A.
Below example is doing the same from a JS file. In Site A you can refer to this script file and execute the script using IIFE.
function getIdentityServerURL() {
var url = global.appSettings.identityServerURL
+ "/connect/authorize?client_id=siteB&response_type=id_token token&redirect_uri="
+ global.appSettings.siteBUrl + "/Main/SsoCallback&scope=siteBscope openid email roles&prompt=none&nonce="
+ genNonce();
return encodeURI(url);
}
The code above will redirect you to SsoCallback page where you can create a virtual iframe and post the token back to site B after reducing the result from authorize request. Refer to code below.
<script type="text/javascript">
var identityresult = window.location.hash.split('&').reduce(function (result, item) {
var parts = item.split('=');
result[parts[0]] = parts[1];
return result;
}, {});
window.parent.postMessage(identityresult, '*');
your script can listen to postmessage event. Hope this helps.
Gmail API fails for one domain when retrieving messages with this error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 OK
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Delegation denied for <user email>",
"reason" : "forbidden"
} ],
"message" : "Delegation denied for <user email>"
}
I am using OAuth 2.0 and Google Apps Domain-Wide delegation of authority to access the user data. The domain has granted data access rights to the application.
Seems like best thing to do is to just always have userId="me" in your requests. That tells the API to just use the authenticated user's mailbox--no need to rely on email addresses.
I had the same issue before, the solution is super tricky, you need to impersonate the person you need to access gmail content first, then use userId='me' to run the query. It works for me.
here is some sample code:
users = # coming from directory service
for user in users:
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
####IMPORTANT######
credentials_delegated = credentials.with_subject(user['primaryEmail'])
gmail_service = build('gmail', 'v1', credentials=credentials_delegated)
results = gmail_service.users().labels().list(userId='me').execute()
labels = results.get('labels', [])
for label in labels:
print(label['name'])
Our users had migrated into a domain and their account had aliases attached to it. We needed to default the SendAs address to one of the imported aliases and want a way to automate it. The Gmail API looked like the solution, but our privileged user with roles to make changes to the accounts was not working - we kept seeing the "Delegation denied for " 403 error.
Here is a PHP example of how we were able to list their SendAs settings.
<?PHP
//
// Description:
// List the user's SendAs addresses.
//
// Documentation:
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/list
//
// Local Path:
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail.php
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail/Resource/UsersSettingsSendAs.php
//
// Version:
// Google_Client::LIBVER == 2.1.1
//
require_once $API_PATH . '/path/to/google-api-php-client/vendor/autoload.php';
date_default_timezone_set('America/Los_Angeles');
// this is the service account json file used to make api calls within our domain
$serviceAccount = '/path/to/service-account-with-domain-wide-delagation.json';
putenv('GOOGLE_APPLICATION_CREDENTIALS=' . $serviceAccount );
$userKey = 'someuser#my.domain';
// In the Admin Directory API, we may do things like create accounts with
// an account having roles to make changes. With the Gmail API, we cannot
// use those accounts to make changes. Instead, we impersonate
// the user to manage their account.
$impersonateUser = $userKey;
// these are the scope(s) used.
define('SCOPES', implode(' ', array( Google_Service_Gmail::GMAIL_SETTINGS_BASIC ) ) );
$client = new Google_Client();
$client->useApplicationDefaultCredentials(); // loads whats in that json service account file.
$client->setScopes(SCOPES); // adds the scopes
$client->setSubject($impersonateUser); // account authorized to perform operation
$gmailObj = new Google_Service_Gmail($client);
$res = $gmailObj->users_settings_sendAs->listUsersSettingsSendAs($userKey);
print_r($res);
?>
I wanted to access the emails of fresh email id/account but what happened was, the recently created folder with '.credentials' containing a JSON was associated with the previous email id/account which I tried earlier. The access token and other parameters present in JSON are not associated with new email id/account. So, in order make it run you just have to delete the '.credentails' folder and run the program again. Now, the program opens the browser and asks you to give permissions.
To delete the folder containing files in python
import shutil
shutil.rmtree("path of the folder to be deleted")
you may add this at the end of the program
Recently I started exploring Gmail API and I am following the same approach as Guo mentioned. However, it is going to take of time and too many calls when we the number of users or more. After domain wide delegation my expectation was admin id will be able to access the delegated inboxes, but seems like we need to create service for each user.