I have an account on intuit with 3 companies. When I want to grant access to my dev app for two companies I am only allowed to access the last one that I got access tokens for. So if I connect Company#1 I can access data fro Company#1 but if i connect Company#2 I can only access Company#2 data but not Company#1. If I request OAuth tokens for Company#1 again I can access Company#1 data but not Company#2 and I need way to access data for both companies.
Thank you.
This is a known issue. Intuit Anywhere currently doesnt support multiple company files for the same user, You need a new Oauth Access token to load the blue dot menu for the company who's context you want to show.
update 11/6
This issue will be resolved in a release during the week of November 26th.
Related
I am attempting to use "v1.0/me/joinedTeams" to get all the joined teams for the currently authenticated user in my asp.net service. This works fine for external accounts that use a Microsoft identity (have a live account) but the same call returns a 400 Bad Request when I attempt to use an external account that uses a mail identity (no live account). The request is the same regardless of external account type. The token generated when authenticating as the mail identity external user looks correct when I inspect it.
I have been able to implement a workaround where I instead use the SharePoint REST service to get the groupId for the team site the user is apart of and then use the Graph call "v1.0/teams/{groupId}" to get that team. However, I need to do this for all the teams the external user has access to which slows things down quiet a bit.
I am aware of what looks like a bug in Graph when trying to make any Graph calls with any external user type, described here: https://github.com/OneDrive/onedrive-api-docs/issues/1039. I have also implemented the workaround for this issue which requires first accessing each site the user has access to by making some arbitrary call using the REST service. Then any subsequent calls using Graph should work. I do this for external accounts with a mail identity before trying to make the joinedTeams call but still run into the 400 response.
These workarounds will suffice in the short term but they increase my execution time significantly, especially when there is a large number of teams the external user is apart of. Any insight on a solution is greatly appreciated.
/me/joinedTeams is not available for personal Microsoft accounts. Se the table on this page
Requesting a sanity check on a question of how to structure Google Oauth in my app.
The app I'm trying to build - call it AppX - will let users create an account with the app (ideally with username/password or with Google login), and then the user will be able to connect their AppX account with several of their Google accounts for the sake of pulling up their various calendars. This is handy when, for example, a user has separate personal and work Google accounts, but they want to be able to see both calendars in AppX.
To accomplish this, I was originally going with the oauth2 token model which can happen purely on the client side. I was then going to send the resulting token back to the server to save onto the user object, and then figure out a way to allow the user to do several of these oauths.
However, this SO question is making me think that with that client-side approach, the UX for refreshing the token is jarring for the user. So I'm thinking I actually need to do this on the server-side using these instructions, which will allow me to store the tokens for multiple oauths and create a more transparent refresh token experience.
Is this server-side approach considered best practice?
I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)
I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.