I am writing a simple web app (Javascript) that includes a form, once the form has been submitted I want to save the data on my oneDrive as a new file. That's all! But for some reason, I cannot accomplish this simple task.
So I want to use oneDrive as my database. but all I can find on the Microsoft Graph API are require a login popup which does not make sense here for me in this case cause the user have nothing to do with that. just want the details will be submitted into my personal oneDrive.
I am using client_credentials flow to generate access token but I keep getting errors like 'Unable to retrieve tenant service info.' or 'Current authenticated context is not valid for this request'
when I try to access the drive API.
I gave all the possible permissions to this app, I am using my personal free Microsoft account
so What am I missing here?
Another issue that I will be happy to know more about is that in my Azure app registration after I register this app and I go to the owner's tab I see this message - 'This app does not belong to any directory, so owners can’t be added to it.' is that might be the problem? how and do I even need to assign this app to a certain directory to use the API for my personal drive?
Also when I am vising the Users section on my Azure portal I see this message - 'You don't have access to this data.'
How is that possible if I do not belong to any organization and I created this azure account??
Thank you in advance, any information here will be helpful cause I am kinda lost.
I am using client_credentials flow to generate access token but I keep
getting errors like 'Unable to retrieve tenant service info.' or
'Current authenticated context is not valid for this request' when I
try to access the drive API.
For this you could use the Code Flow authentication
In this, you will not be needing any tenant information - just the client credentials and access token to access the OneDrive API
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/msa-oauth?view=odsp-graph-online#code-flow
This app does not belong to any directory, so owners can’t be added to
it
If the app had been registered in the converged app portal - you are likely to encounter this. You can you portal access this link and login with your personal account\live account.
Related
I'm hosting a static page/site on GCP App Engine (written in standard js/html/css), on a company domain ;
I know in localhost testing I can't get the user info in any way (which is fine, I'll hardcode dummy data).
But after using gcloud app deploy and running it on the engine, is there a way to obtain user info somehow? Name, email etc. Ideally just through the app somehow - or even by calling a google cloud function or something.
Nb. I have activated IAP so when hosted, the user does go through google auth on this site (all domain users are allowed in).
If you have turned on IAP, then to get the information you want, you have to look at the headers
From Google Documentation
....IAP also passes the user's identity to your backend service in the following HTTP headers.
X-Goog-Authenticated-User-Email : The user's email address
X-Goog-Authenticated-User-Id : A persistent, unique identifier for the user
Tip: Do a dump of the headers in your code to see what else you might find useful.
I got the error when trying to get an access key for one of our APIs.
"AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'
First, I was trying to prompt=consent during login, thinking that I had new consents that weren't prompted during login. And I got the following error.
"AADSTS65005: The application '{GUID}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor."
I removed prompt=consent and started fiddling with the permissions in Azure, and now I was stuck on the same error.
I changed everything as it was, but I still get the error. However, this only happens to my user. Everyone else can still log in without problems.
So my problem is actually in two parts:
The first error when trying to get an access token for the API.
Somehow I need to prompt the user with consent, but I am using adal.js which uses a silent retrieval of the keys using an invisible iframe. I want the support to be when the user logs into the web app.
Is this possible?
My user can't log in to our web app anymore. Everyone else can. Did anyone encounter this before?
The product is a SPA Web App written in React, and we use adal.js (adal-vanilla) as a library for authentication to Azure AD.
Update
I finally got some stuff working. Not all the way, but at least it's a start.
The problem with this is that users registered on other tenants (this is a multi-tenant app) don't get consent to use the API. These users get the error. However, I registered a user on the same tenant, and everything worked as intended.
Problem two was solved by removing all the permissions, adding them one by one, and testing in between. Somehow this worked after two-three tries.
The problem is that users from other tenants don't get a consent prompt to access the API.
Somehow the issue got fixed, I'm not 100% sure how or why but here are the steps I performed to fix it if someone finds themselves in a similar situation:
Ensure that all permissions are correct (APIs are added as delegated permissions to the client)
All services (web app & apis) are multitenant
Update manifest with:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
(availableToOtherTenants was false for the API even though it was marked as multitenant in the settings)
The consent might be possible to fix with prompt=admin_consent.
As for the second problem, you can add your web app as a known client application of the API. This will allow simultaneous consent when the user authenticates to the web app.
To do that, find the API app registration in Azure Portal's Azure AD blade. Then open its manifest (there is a Manifest button on the app blade). In there should be a "knownClientApplications" property. Add the client id of the web app in the array and save the manifest.
E.g.:
"knownClientApplications": [
"bda6ffff-ffff-ffff-ffff-ffff8bf8c57f"
],
I am new to GMail JS API and I was trying to read gmail emails using Javascript according to the quickstart tutorial given explained on below link
https://developers.google.com/gmail/api/quickstart/js
I have followed all the instructions given on the page but I am getting below
error
did I miss something???
Please help me resolve this error
Thanks in advance!!!
You may refer with this thread. Make sure that you are authenticated to the API properly.
To do this, there are two ways:
use OAuth - the Server redirects the user to google's servers, where they can login, grant permission to your app, and pass a token back to
you
Service Accounts. These are a little bit more complicated:
First, you'll have to setup an app (done)
second, you'll have to setup a service account. This is how your app authenticates to google. you've done that, and the certificate
you've got contains the private key to authenticate
third, the user needs to grant your application access to act on behalf of them. This is the point you haven't done yet.
Also, as stated here, certain scopes simply aren't supported for the oauth2 for devices flow.
Additional references:
Invalid scope error when trying to access gmail api
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
OAuth invalid scope
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
I would like to access a user's Outlook emails with my javascript app.
Google makes this very easy using Oauth and it's restful Gmail API.
I have tried researching similar options for Outlook, but I can't seem to find a good way to authenticate a user with Oauth 2.0, then access their message inbox.
Are there any Microsoft technology experts that can point me to some resources to get started here?
I am restricted to using only client-side code as this is for a phonegap mobile application. I would like to continue using oauth-io but I realize that may not be an option.
I was having a hard time tracking down the process for getting the emails as well. Anyway, first things first, you'd need to register your app for OAuth here. This page describes some more details on the registration and also how to access the needed API.
Although you can do the calls via Javascript, there are some security issues because you'd eventually need to send your client secret. It might be safer to do some parts in the server side.
First step is getting the user to login and retrieving the access token.
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT_ID]&scope=wl.imap wl.offline_access&response_type=code&redirect_uri=[REDIRECT_URI]
On the server side, exchange the access code for an access token:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&code=[ACCES_CODE]&grant_type=authorization_code&redirect_uri=[REDIRECT_URI]
Get user's email and other account info (Python sample codes):
https://apis.live.net/v5.0/me?access_token=[AUTH_TOKEN]
Retrieve emails via IMAP using the email address from emails>preferences in previous reply (see more details here). It would look something like this in Python:
import imaplib
mail = imaplib.IMAP4_SSL('imap-mail.outlook.com')
username = [username]
access_token = [access_token]
auth_string = 'user=%s\1auth=Bearer %s\1\1' % (username, access_token)
mail.authenticate('XOAUTH2', lambda x: auth_string)
mail.list()
You can look at existing IMAP libraries to retrieve the actual emails from there. Here's one for python.