I would like to send an email on behalf of a user using Postman (Office 365). I have the email id and password of that account. After doing some research, I have found that I need to login, using a browser, to get the authorization code and then I can perform the next steps from Postman (getting the access token and using the Microsoft Graph Explorer) to send the email.
I would like to get the authorization code using Postman (not browser). I tried and got the following error (which is what should come the way I have requested the API)-
In short, I want to send email from Graph API using a REST client like Postman (right from authorization to sending email). Is this possible?
(I have already read these documents but did not help me get there-
https://developer.microsoft.com/en-us/graph/docs/concepts/rest
Accessing Microsoft Graph API without using login page
Automatically Log-In To Office 365
)
Yes, it is very possible, in fact, you can use all of the Microsoft Graph API from Postman or any other program which can make HTTP requests.
All you need to do is to get access token to use in your requests to the Graph API, and there at least 4 ways which allow you to do so without user interaction. But the process requires some preparation since you need to create an OAuth App in order to be able to use the Graph API.
Since I had to do the same myself and it wasn't easy to collect all the bits of information necessary, I've written a full guide on this subject including Postman examples:
Getting Access Token for Microsoft Graph Using OAuth REST API
In large you need to do the following steps:
Register OAuth App
Configuring App Permission
Use one of the following flows, depending on the information you have:
Flow 1: Get Access Token from Client Credentials (Client credentials Grant)
Flow 2 – Get Access Token From Client & User Credentials (Resource Owner Credentials Grant)
Flow 3 – Get Access Token From Refresh Token (Refresh Token Grant)
Flow 4 – Get Access Token From Another Access Token (On-Behalf-Of Grant)
Use the access token in requests to Microsoft Graph API
All of those steps are explained in the article.
Related
We have REST Web API written in .NET CORE, which are used on REACT SPA, we are using OKTA with PKCE.
For our API(s) we have end to end test cases written using postman/newman, the API(s) depend on JWT access token for finding user details.
How can I get access token from OKTA for PKCE flow without user interaction?
I followed this for getting access token but even this one throws a browser window for username/password.
https://developer.okta.com/docs/guides/implement-oauth-for-okta/request-access-token/
Is there a way I can pass username and password in the payload and get access token back?
In essence I am after a flow which lets me fetch access token using resource owner username and password on PKCE flow.
It seems with SPA configuration it isn't possible as per OAuth specifications.
Had to create a native app with PKCE and used "Get Access Token with Resource Owner Password Credentials" API in the postman collection available on OKTA
This page claims that you can access the Places Graph functionality without having a logged-in user:
You make your calls using a Client Token (from the client), and an App Access Token (from the server).
The documentation regarding Client Tokens says:
The client token is an identifier that you can embed into native mobile binaries or desktop apps to identify your app. The client token isn't meant to be a secret identifier because it's embedded in apps.
This sounds like exactly what I want--I am trying to build a website that allows users to search for Facebook places. I need to be able to build the list using an AJAX request from the client side.
I can't for the life of me find any documentation on using the Client Token to make such a request.
Please note that I cannot use an App Token because this will be deployed to a website, and Facebook specifically says not to use App Tokens in that context.
I've tried using the Client Token directly as the access_token, but then I get Invalid OAuth access token.
How can I use the Client Token to make a Places Graph API call directly to Facebook's API from the client's browser?
Note: I realize that I could send the request to my own server, then relay that request from my server to Facebook, but that is not an optimal solution for me.
In case anyone is still struggling with this like I was. You just need to use the appId and client token joined with a pipe. So "appId|clientToken".
I would like to get basic user information from Facebook after the user has logged in.
I've looked at the documentation in How to: Work with authentication and under the "How to: Retrieve authenticated user information" section, it shows how to do it from the .NET backend code by using an HttpClient to make the call with the AccessToken:
var fbRequestUrl = "https://graph.facebook.com/me/feed?access_token="
+ credentials.AccessToken;
Since the mobile client has the accessToken that we get from MobileServices, can the client make the call directly to a Facebook endpoint, or does the client SDK provide us with any built-in functionality?
I've been following the Xamarin.Forms Sport project and the way they get the user information from Google is by hard-coding the Google endpoint and making a call to get the user info.
Note: Xamarin.Forms Sport uses Mobile Services, not Mobile App, so not sure if that makes any difference.
It sounds like you're doing the server-directed login: where you are making a call to your backend to do the login dance with Facebook. In this, your client application is making a GET call to .auth/login/facebook, which opens up a browser or the Web Authentication Broker where you enter your credentials. The end result is you will receive a Zumo access token (different from Facebook access token).
You cannot use the Zumo access token to access Facebook APIs by itself. In the "How To:" you linked, we show you how to use GetAppServiceIdentityAsync from the backend to get the Facebook access token. This is possible because you have stored your Facebook client ID via portal, which is available to the backend.
The advantage of doing auth like this was that you don't have to deploy your Facebook Client Id with your mobile apps. If you wanted to access the Facebook APIs from the client, though, you'll need to get the Facebook token to the client.
Few ways I can suggest:
Call .auth/me from your client. The response will give you a JSON object you can parse that should include the FB token associated with your Zumo token.
Write a custom API with [Authorize] attribute set that will perform GetAppServiceIdentityAsync and respond with the value of the facebook access token. You can then parse the response from your client. This is basically what .auth/me does, but you can write it to give back only your FB access token.
Use the Facebook .NET SDK http://facebooksdk.net/ to do client-directed login. You will get a Facebook token on your client, and then you can use our LoginAsync(Facebook, access_token) method to get a Zumo token so that your client can access both Facebook and your Mobile App backend. The disadvantage, as I mentioned before, is that you'll have to deploy your FB Client ID with your app.
I am hoping to work on a REST API that would interface with a mobile client. I am think of implementing the following flow and hope you guys can set me off in the right direction:
User accesses the mobile app and then will signup with facebook (app)
Once the user successfully authenticates himself, the generated token is passed to the server (via an API endpoint)
The server will accept this token and will attempt to query the facebook server using this token and process the returned information
Is this possible? And am I heading in the right direction ?
Not only this is possible, but this is the approach which Facebook recommends. This is called "token debugging" in FB parlance.
The token will need to be checked and validated by your server, by calling the token debug Facebook api.
If you don't validate the token on the server, your app could be subject to various attacks, e.g. another developer could use a token generated on another app to gain entry.
The correct approach is:
testing that the user is the one to whom the token belongs to
that your app is the same for which the token was generated
that the token itself is valid.
You can manually inspect a token, in order to test your code with an online tool: https://developers.facebook.com/tools/debug/
Let's say I have an AngularJS application that consumes the REST API of a Django application.
The Django application has got a built-in OAuth2 provider that can be called to retrieve an access token and use the protected endpoints of the API. This provider is using django-oauth-toolkit.
Let's assume there is a registered client with "password" grant type, so that the end users only need to provide their credentials in the front-end in order to get an access token from the back-end.
At some point we want to add some support for social networks login and we decide to use python-social-auth (PSA) to that end. Here is the workflow I want to achieve:
The user logs in on Facebook from the front-end (via the Facebook SDK) and we get an access token back from the OAuth2 provider of Facebook.
We send the Facebook token to an endpoint of our REST API. This endpoint uses the Facebook token and django-social-auth to authenticate the user in our Django application (basically matching a Facebook account to a standard account within the app).
If the authentication succeeds, the API endpoint requests an access token from the OAuth2 provider for this newly authenticated user.
The Django access token is sent back to the front-end and can be used to access the REST API in exactly the same way that a regular user (i.e. logged in with his credentials) would do.
Now my problem is: how do I achieve step 3? I first thought I would register a separate OAuth2 client with Client Credentials Grant but then the generated token is not user-specific so it does not make sense. Another option is to use the TokenAuthentication from DRF but that would add too much complexity to my project. I already have an OAuth server and I don't want to set up a second token provider to circumvent my problem, unless this is the only solution.
I think my understanding of PSA and django-oauth-toolkit is not deep enough to find the best way of reaching my goal, but there must be a way. Help!
I managed to get something working using urllib2. I can't speak towards whether or not this is good practice, but I can successfully generate an OAuth2 token within a view.
Normally when I'd generate an access token with cURL, it'd look like this:
curl -X POST -d "grant_type=password&username=<user_name>&password=<password>" -u"<client_id>:<client_secret>" http://localhost:8000/o/token/
So we're tasked with making urllib2 accomplish this. After playing around for some bit, it is fairly straightforward.
import urllib, urlib2, base64, json
# Housekeeping
token_url = 'http://localhost:8000/auth/token/'
data = urllib.urlencode({'grant_type':'password', 'username':<username>, 'password':<password>})
authentication = base64.b64encode('%s:%s' % (<client_id>, <client_secret>))
# Down to Business
request = urllib2.Request(token_url, data)
request.add_header("Authorization", "Basic %s" % authentication)
access_credentials = urllib2.urlopen(request)
json_credentials = json.load(access_credentials)
I reiterate, I do not know if this is in bad practice and I have not looked into whether or not this causes any issues with Django. AFAIK this will do this trick (as it did for me).