I'm writing an application in C# that aims to query the Google Domain Shared Contacts API to retrieve (and eventually update/add/delete) all domain shared contact records. As this is not currently supported via the .NET client libraries, I have written a procedure to retrieve an oauth 2.0 token to include in my request to https://www.google.com/m8/feeds/contacts/example.com/full. I believe I have the oauth 2.0 token request procedure correct, but I am getting a 403 Forbidden error when calling the above mentioned URL with that token. However, if I go into the OAuth 2.0 playground and create a token through there and use that token instead in my C# app, the call succeeds and I get contact records returned.
My question is - does the Domain Shared Contacts API support being called with the credentials of a service account?
The solution to this issue was to include the email address of the "overarching" domain administrator account as the user being managed ('sub' property of claimset when creating Jason Web Token or 'User' property of ServiceAccountCredential initialization). As the domain administrator has access to all domain data, the call to retrieve all domain shared contacts now succeeds.
Related
I created an application that's calling Oracle RESTful Webservices and i want to secure them with Oauth 2.0. I followed this tutorial 'Accessing the RESTful Services from a Third Party Application'
But when I try to get the access token, I get the error below: https://server:port/i/oauthdemo/gallery.html#error=access_denied&state=STATE
This document mentions that this error happens if the user denies the request. How can i approve the request? Is there any extra configuration that I need to make?
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
We are having issues with obtaining access tokens for Sharepoint/Exchange resources for a non-multi-tenan Office365 deployment.
This tenant has an O365-D-vnext (dedicated, not multi-tenants) environment which seems to use a different resource end points for sharepoint and exchange, and possibly the management APIs as well.
We use the 'client credential flow' (app-only) to authenticate the global admin for this tenant. The authentication went through, and we got back an auth token (which we discard as it’s not applicable in app-only authentication flow) and tenant-id (we verified the tenant id with the customer). We then tried to get tokens for 3 different APIs using
login.microsoftonline.com//oauth2/token
Here is where we are at with this:
1) We were able to get token for
https://graph.windows.net
and access the active directory groups (we should be able to fetch the users as well)
2) We were able to obtain an access token for exchange resource endpoint
https://outlook.office365.com/
but when we tried to use it, we got 404 for users that we know have mailboxes. We are not sure if outlook.office365.com works for O365-D-vnext (dedicated, not multi-tenants) environment.
3) We were able to get token for
https://{tenant}-my.sharepoint.com"
but when we tried to use the token to access user’s Onedrive, it returned this error: {“error":"invalid_client","error_description":"Invalid audience Uri 'https://{tenant}-my.sharepoint.com/'} . We were told by our customer that this endpoint would not work for their non-multi-tenants environment.
We subsequently tried a couple of other vanity URIs that the users of this customer use to access their sharepoint onedrive documents. But we were NOT able to get token for the URIs provided by our customers. We received the following error when using these URIs provided:
{"error":"invalid_resource","error_description":"AADSTS50001: The application named https://<tenant-my-site>.com was not found in the tenant named https://<tenant>-my.sharepoint.com/. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: … ”error_codes":[50001] …}
Any ideas on how to get access tokens for this type of deployments?
I'm developing a site for a non-profit. I'm building it as an express app hosted on heroku that needs access to the non-profits facebook group events.
I'm able to grab all the group's events in the graph api explorer. But I'm very confused as to what api token I need.
What facebook api token do I need to provide my webapp so it can access a random group's events listing?
Probably the app access token from the application requesting the information. The access token can be created by linking your application ID and your application secret together like so:
APP_ID | APP_SECRET
No spaces between though, just provided them for clarity.
PHP example:
$app_access_token=$app_id."|".$app_secret;
Then just append the access token to your request and it should work.
You want to use an app token. Easiest method is to create an app, then submit a get request with your app_id concatenated with your app secret.
Like so curl https://graph.facebook.com/v2.1/endpoint?key=value&access_token=app_id|app_secret note that https is required. https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
Note this only works for endpoints that don't need user credentials e.g. public groups https://developers.facebook.com/docs/graph-api/reference/v2.1/group/ However group/events does need a user access token https://developers.facebook.com/docs/graph-api/reference/v2.1/group/events
I am trying to use the Google Contacts API and the Python / GDATA client handlers to access Contacts via OAuth 2.0 for users in the domain. I'm ultimately wanting to create a web service to add contacts for users, but the first step is getting this test working.
I can access my own Contacts just fine if I use the default URI. However, when I pass in the email address to construct the URI for another user, I can't seem to access the other user's Contacts. Here is the code that I'm using:
client.GetContacts(uri=client.GetFeedUri(contact_list=userEmail))
A 403 error is returned when I execute this.
gdata.client.RequestError: Server responded with: 403
Your client does not have permission to get URL /m8/feeds/contacts/<userEmail>/full from this server.
Mostly just trying to understand if what I'm attempting here is even possible. In the Email Settings API, for example, you can get authenticated to the domain and pass in a user's email to list their labels, add filters, etc. So, I would anticipate that the Contacts API would work the same, though handled slightly differently, i.e. modifying the URI, instead of just passing in an argument to the client handler. Please let me know if I am wrong in that presumption.
For authorization, I'm getting the details using flow_from_clientsecrets, then getting the token to authorize the ContactsClient for the domain. Again, I can access my own contacts fine, so authorization seems OK, but I can't access other users' contacts.
client = token.authorize(ContactsClient(domain=domain))
Seems like I'm missing something with respect to accessing other users. Is anybody able to assist me over this hump? Here are some things that I've checked / confirmed:
Contacts API is enabled for the project
Scopes have been authorized for the Client ID in the control panel > Manage 3rd party access
I am a Super Admin in the domain.
Thanks for your time!
I figured out the answer here from another post with exceptional detail:
Domain-Wide Access to Google GDATA APIs
You need to use "Service Account" authentication. For some reason, I was thinking that would only work with the newer discovery-based APIs. But, service account access also works for GDATA APIs. I can access all the Contacts for users in the domain now.