I am following the tutorial to accomplish SSO with chat bot in Teams, SBS bots with SSO: https://learn.microsoft.com/en-us/microsoftteams/platform/sbs-bots-with-sso?tutorial-step=5
At "Test in Web chat" section in Azure, I authenticated and then got the access permission window request displayed:
I accepted the request and got the token.
It seems this permissions consent window will be displayed only once and never again.
As I am testing this feature I would like to reset these permissions to visualise the flow again without needing to create/use a new account every time to sign in in Teams.
Is it possible to reset the permissions granted? So the permissions request window can be displayed again.
Related
I am building a chatbot using FreshDesk that will connect to Google Calendar, so I
go to Google Console API and create a project
add the google calendar API service to the project
get the credentials (OAuth client ID)
Configure the OAuth consent screen, adding sensitive scope (edit, view, delete)
develop my own program which will provide the API to book room using google calendar API.
It still fine here, everything works fine in my local computer. Until I tried to deploy to the server on AWS.
The problem I encountered:
According to the sample code from Google calendar API document (https://developers.google.com/calendar/api/quickstart/dotnet)
When I trigger the API at the first time in my local computer through Postman, Chrome will pop-up automatically and display the consent screen and a file
"Google.Apis.Auth.OAuth2.Responses.TokenResponse-user" will be generated after I clicked confirm in the screen.
But the consent screen did not pop out after I deploy to AWS server. I need to copy the Google.Apis.Auth.OAuth2.Responses.TokenResponse-user in my local computer to the AWS server. Is it a proper way to do that? And the file will somehow disappear.. then all of my API is broken without this auth file.. What is the best way to deploy my program to production?
Your going to have a few issues here. First off GoogleWebAuthorizationBroker.AuthorizeAsync is designed for installed applications. It opens the consent screen on the machine its running on. So if its running on AWS then its going to try to open the consent screen on AWS which means you the user can not see the consent screen. The way around this is to run your code once then FileDatastore will store your credentials in the Google.Apis.Auth.OAuth2.Responses.TokenResponse-user file on your machine.
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
Scopes,
"user",
CancellationToken.None,
new FileDataStore(credPath, true)).Result;
your code will then read from Google.Apis.Auth.OAuth2.Responses.TokenResponse-user and load the refresh token when ever it needs to.
The issues you are going to have is that there will be no way for your code to request that you authorize it again if the Refresh token expires. Refresh toekns can expire but its rare after the application has been set to prodcution in Google cloud console.
service account
You may want to consider using a service account if you use a service account you will need a google workspace account to set up domain wide delegation and the service account will only be able to access a calendar on the workspace domain.
The nice thing about service accounts is that they are pre authorized though domain wide delegation which means you wont need to workie about the refresh token, verifying the app, or the consent screen.
I am using office 365 credentials to login to windows 10 machine. I have written a desktop winform application in c# where I just want to get email address and ad group assigned to that login user.
I don't want to relaunch login from desktop app. Just want to use existing user info to get email address and user groups. I am only able to get local groups assigned to that user but required AD groups too.
You must throw login challenge from your desktop app at least once to get the auth token to be able to query graph api (details in the next para) and keep the token cache so that it does not prompt the user again next time onwards. There is no other way I am aware of. You need to create a native client app in AD (or if you want to reuse some existing one, that will do too) and grant Graph API user.read permission to it. Here is an end-to-end guide for that. https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop (well, the example is for WPF, but Winforms would be very similar except the XAML part). If you follow this example, the login screen which will show for the first time will automatically have O365 Windows logged-in user populated (because of .WithPrompt(Prompt.SelectAccount) part in the bootstrapping) if that gives a bit of relief to you app users.
Once you get the access token, you need to query Graph API for that. Here is the programmatic way (C# based on your tag in the question) to get the user details for a logged in user (me) and to get the user groups for the user (me).
We have set up an application in AAD.
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal.
Still We get Access denied error when trying to access
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid (myId). The URL works fine in graph explorer when I'm logged in as my own user.
Also, decoding the JWT at jwt.io shows the application id, name and "aud" (https://graph.microsoft.com) - but no roles/scopes.
What have we done wrong?
Ok so I submitted a ticket to Microsoft Support. I haven't received any response yet, but now it all works just fine. I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app.
The effective rights are the intersection of the user rights and and the rigths of the app.
"Effective permissions are the permissions that your app will have when making requests to an API.
For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."
The user also needs permission to use the app in AAD.
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.
Using facebook C# SDK for a native app to be used in kiosk mode.
Scenario:
User logs in to facebook.
App request permission.
User deny permission.
Unable to programatically log user out of facebook since no access token has been granted.
(see: https://developers.facebook.com/docs/authentication/)
What is the best approach in the above scenario where the next user of the app should start from scratch?