Problem: How to authenticate in MS Graph using Azure AAD access token.
Current flow:
My web app has AAD configured with "Log in with AAD"
If I log into AAD my demo app is showing and if I go to https://******.azurewebsites.net/.auth/me
then I get the access_token.
What I tried:
So I tried a couple of things and this was the last, I copied the access_token as code and tried to send it, didn't work.
I'm searching for a solution to silently use the already logged-in user and call MS Graph.
The reason for the error is that you have used the wrong code. Don't try to send the access token as a code, you should request an authorization code in your browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
In addition, redirect_uri is also a required parameter.
For the already logged in user you need follow the below steps for access:
Make sure you have enable the allow access token for the register app as below
Write code to acquire access token for the for the logged in user Reference
Now you can pass this token in other successive call to get the result.
Related
I have followed all steps to use client credentials grant flow to authenticate IMAP.
Registered my app on Azure AD (multitenant)
Set App permissions (Screenshot attached)
Set Service Principals
Acquiring token with scope- "https://outlook.office365.com/.default" and doing post- https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
I do get the token but it throws "NO AUTHENTICATE FAILED" error.
Here's the issue- The app was created and permissions set using TESTDOMAIN1 account. So it works/authenticates without any problems for emails with abc#TESTDOMAIN1.com.
But if I try to access a guest account(account added in Azure using invitation) like xyz#TESTDOMAIN2.com, it generates the token but throws NO AUTHENTICATE FAILED error.
I tried updating the service principal as well to access this emailbox but I got error there too. (Screenshot attached)
Please suggest if I'm missing something here. All I want to do is access any of my users (Azure AD Users or external users) to access my app and be able to use the api and give access to mailbox.
ApiPermissions
GuestAccount
ServicePrincipalError
I tried to reproduce the same in my environment and got the below results:
I created an Azure AD application and added permission like below:
I generated the authorization code with below parameters.
GET
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=e626f30a-80ea-4530-81e9-ebxxxxx
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/IMAP.AccessAsUser.All offline_access
&state=12345
I generated access token successfully like below.
https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type:authorization_code
client_id:e626f30a-80ea-4530-81e9-ebxxxxx
client_secret:client_secret
scope://graph.microsoft.com/IMAP.AccessAsUser.All offline_access
redirect_uri:https://jwt.ms
code:code
I am writing a Razor page application that get's the users data in Azure AD in the form of a HTTP GET call.
However, most of the documentation I found says to use the MS GRAPH library- is there a way to get the access token on behalf of the user with just standard HTTP?
I am not sure how to get the prompt to log into Office365 to show up from my razor pages application.
You could get access token with auth code flow.
Get an authorization code in browser:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client-id}
&response_type=code
&redirect_uri={redirect_uri in azure portal}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Get access token with the previous code:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id={client-id}
&scope=https://graph.microsoft.com/.default
&code={code from previous step}
&redirect_uri={redirect_uri in azure portal}
&grant_type=authorization_code
You will obtain the upn(The username of the user) and others after decoding the access token. If you have the required permission of MS Graph, you could also get the details of user with the API.
I want to use Microsoft Graph to fetch manager details from my C# based bot.
I am able to fetch my profile by using this query:
await new HttpClient()
.GetWithAuthAsync(token.AccessToken,
"https://graph.microsoft.com/v1.0/me/");
but when I try to fetch the manager, I am getting not able to get a response:
await new HttpClient()
.GetWithAuthAsync(token.AccessToken,
"https://graph.microsoft.com/v1.0/users/abc#domain.com/manager");
I am unable to understand what is wrong with the query
please help.
Please find below access token:
https://9c9ca0db.ngrok.io/api/OAuthCallback?code=AQABAAIAAADX8GCi6Js6SK82TsD2Pb7rgKFM6GqiboAOn6WZitAqMLG2xkiduiMIz1slVYvjSZeevZcHogj8vmYwZH1JfaqgX1CXsBs2l7bCn1lwhZh2bq6B4LlxeJWku8zZI5hiY2mLReHWWiuQtZp4J5JJ_RVvbe6eBfgsamlCYhRPKMAfsuRBri-mQ5nJCYmVkdYOY6aGxblY2mzZL85mwogRECROLc0PsQohR1Sw0rRTon7JvHl8Pc5-GxxFYwtClp66EWnhoy8FV5dFBSOfOS_wNcijwKkA-RXvaZ2yscOnfCOKRaEL2FAUm6MAz7StrJQD0y3a1_-g97IxdtQenMNwhkSNp6wiLQsD0DzFr3zfLuIr_07ttOy07NknTJ9OPjneWQcONKUhQvLAfy-JsW4VwgOznwEcIT8K7ML-QpGXfNB1-igjm0b5x0ucHz76FQfLHxWGW2x9tsyg14NcKfpHlIsEDmHEooIGm0RCjYMuuo6uXfMCDIAMVwzUx4ehKZRXF3oNi--I889Gjfm2DeClhDYkg_ErasBgT2LLB1sLo2bPC8_65EDRQRE7sawDeyVa4sasasZ-OaN-E41dwu6re7tJcfbphpTgS9uMkkhhyic6HIwzg1iRk8sqo0_vQ6uAMtB7LDmSny7vN_3kNWFamR9u-_vOMwSW2sRZkf8S0QxjmuDmVkrH32iKx1dsszmXmtjuUtZoLr400LjNHXEb3MWUjbLWxL3u5xassasyX1LrcXYGLF3bPiZigX_Q3-8bFAHjV3-jvHxgIFd7NLtkR4socHO7Dx99ejDCnQ_sCoyFQVhRUE8iAA&state=H4sIAAAAAAAEAG2Oyw3CMAxAred4QH7EAO_SHKKgsgLhwQR0gTQ0JuHGVpF2SpXDFlZv1cd7tDwAkY0B_7WArc4cPNVJMZ_QTN9XjH6WNcg5JspU47EdSkYW3HIVthNW1MqRfx9JCIslkNTaeYCfKxDiEc56Xh1PRFhVm7un5nVmGpQ0Xz-MgX2l2E_qgomUnK9fS7SvSLXWmhoRYK0JYzMdd2twBvnWWUE3LAAAA0&session_state=e4d12345-4013-4edb-8487-35ef1763f323
The "access token" you've provided is not an Access Token. That is an Authorization Code that you would use to obtain an Access Token. More specifically, that is the redirection URI with query params that include the code you would submit.
You may want to take a look at this primer I wrote on OAuth 2.0 and the v2 Endpoint. It will help with understanding how OAuth works and the various calls required to obtain an access_token.
In order to retrieve profile information, including manager, from another user (a user other than the one who is authenticated) you need one of the following permission scopes:
User.Read.All
User.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Directory.AccessAsUser.All
You'll also need to obtain Admin Consent before you can use these scopes.
Once you have both the correct Scope and Admin Consent, you can request the profile for another user with /v1.0/users/{id}/manager.
I need help to obtain an authorize code, is there any way to get one without accepting anything or any window that pops up. I need this for my service as an automated process.
I tried like a thousand ways but nothing works.
Please does anyone know a solution?
As per the docs (http://msdn.microsoft.com/en-us/library/dn659750.aspx), you can use a refresh token if your app has offline access in its scope.
If offline access is set, when you retrieve your authentication token normally, you'll also get a refresh token. When the normal token expires, you can request a new one similarly to the first token, replacing the code query parameter with the refresh_token parameter.
To be clear, the process looks like this as per the docs:
Send your user to your web service
Direct them to the OneDrive authorise page with the correct parameters (make sure offline access is in the scope)
Wait for them to be redirected back to your app with the authorisation code
Exchange the authorisation code with OneDrive (using the oauth20_token.srf endpoint) to receive a set of tokens (one of these will be refresh)
Wait for the access_token you received to expire
Exchange the refresh_token you received for a new access token as per the "Getting a new access token or refresh token" section of the docs
I want to authorize my users with Windows Live. I use the windows Live Connect 5.0 SDK for this. I am using a WPF WebBroser control to get a token but it always prompts for consent.
I let the webbrowser navigate to the following link:
https://oauth.live.com/authorize?client_id=CLIENT_ID&response_type=token&scope=wl.signin%20wl.basic&redirect_uri=https://oauth.live.com/desktop
with the client id as my application id. And I watch for navigation to the redirect url. I mostly don't need to login. But each time I need to give Consent for the two scopes.
The weird thing is, that when I look in to the app's I have given Consent both scopes are checked.
Also when I use another url for silent logging in:
https://oauth.live.com/authorize?client_id=CLIENT_ID&response_type=token&scope=wl.signin%20wl.basic&redirect_uri=https://oauth.live.com/desktop&display=none
I get an error that the user hasn't given consent for wl.signin and wl.basic.
Unlike Facebook's OAuth implementation checking the checkbox will not remember consent on the WL server, but rather give you long lived refresh token which you can exchange for access token.
Flow:
if have refresh token saved - try to get access token based on refresh one ( http://msdn.microsoft.com/en-us/library/ff752395.aspx ), otherwise:
show consent dialog
get access and refresh tokens ( http://msdn.microsoft.com/en-us/library/ff750952.aspx )
save refresh token securely on your server - the refresh token is close equialent of enencrypted user name+password. If you can't store securely you have to live with consent dialog.