I got the error when trying to get an access key for one of our APIs.
"AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'
First, I was trying to prompt=consent during login, thinking that I had new consents that weren't prompted during login. And I got the following error.
"AADSTS65005: The application '{GUID}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor."
I removed prompt=consent and started fiddling with the permissions in Azure, and now I was stuck on the same error.
I changed everything as it was, but I still get the error. However, this only happens to my user. Everyone else can still log in without problems.
So my problem is actually in two parts:
The first error when trying to get an access token for the API.
Somehow I need to prompt the user with consent, but I am using adal.js which uses a silent retrieval of the keys using an invisible iframe. I want the support to be when the user logs into the web app.
Is this possible?
My user can't log in to our web app anymore. Everyone else can. Did anyone encounter this before?
The product is a SPA Web App written in React, and we use adal.js (adal-vanilla) as a library for authentication to Azure AD.
Update
I finally got some stuff working. Not all the way, but at least it's a start.
The problem with this is that users registered on other tenants (this is a multi-tenant app) don't get consent to use the API. These users get the error. However, I registered a user on the same tenant, and everything worked as intended.
Problem two was solved by removing all the permissions, adding them one by one, and testing in between. Somehow this worked after two-three tries.
The problem is that users from other tenants don't get a consent prompt to access the API.
Somehow the issue got fixed, I'm not 100% sure how or why but here are the steps I performed to fix it if someone finds themselves in a similar situation:
Ensure that all permissions are correct (APIs are added as delegated permissions to the client)
All services (web app & apis) are multitenant
Update manifest with:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
(availableToOtherTenants was false for the API even though it was marked as multitenant in the settings)
The consent might be possible to fix with prompt=admin_consent.
As for the second problem, you can add your web app as a known client application of the API. This will allow simultaneous consent when the user authenticates to the web app.
To do that, find the API app registration in Azure Portal's Azure AD blade. Then open its manifest (there is a Manifest button on the app blade). In there should be a "knownClientApplications" property. Add the client id of the web app in the array and save the manifest.
E.g.:
"knownClientApplications": [
"bda6ffff-ffff-ffff-ffff-ffff8bf8c57f"
],
Related
I am writing a simple web app (Javascript) that includes a form, once the form has been submitted I want to save the data on my oneDrive as a new file. That's all! But for some reason, I cannot accomplish this simple task.
So I want to use oneDrive as my database. but all I can find on the Microsoft Graph API are require a login popup which does not make sense here for me in this case cause the user have nothing to do with that. just want the details will be submitted into my personal oneDrive.
I am using client_credentials flow to generate access token but I keep getting errors like 'Unable to retrieve tenant service info.' or 'Current authenticated context is not valid for this request'
when I try to access the drive API.
I gave all the possible permissions to this app, I am using my personal free Microsoft account
so What am I missing here?
Another issue that I will be happy to know more about is that in my Azure app registration after I register this app and I go to the owner's tab I see this message - 'This app does not belong to any directory, so owners can’t be added to it.' is that might be the problem? how and do I even need to assign this app to a certain directory to use the API for my personal drive?
Also when I am vising the Users section on my Azure portal I see this message - 'You don't have access to this data.'
How is that possible if I do not belong to any organization and I created this azure account??
Thank you in advance, any information here will be helpful cause I am kinda lost.
I am using client_credentials flow to generate access token but I keep
getting errors like 'Unable to retrieve tenant service info.' or
'Current authenticated context is not valid for this request' when I
try to access the drive API.
For this you could use the Code Flow authentication
In this, you will not be needing any tenant information - just the client credentials and access token to access the OneDrive API
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/msa-oauth?view=odsp-graph-online#code-flow
This app does not belong to any directory, so owners can’t be added to
it
If the app had been registered in the converged app portal - you are likely to encounter this. You can you portal access this link and login with your personal account\live account.
I'm currently working on an application for myself in which I need access to my own photos/albums on Google Photos. I have gotten by using the oauth 2.0 token generated in the playground, but I'd like to get a more permanent solution that does not require me manually regenerating the token. Is this possible with Google Cloud? The app is meant to run in daemon, so this makes any option with consent pages unusable. The scopes I'm using are:
https://www.googleapis.com/auth/photoslibrary.sharing
https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata
https://www.googleapis.com/auth/photoslibrary.readonly
I have tried using the https://accounts.google.com/o/oauth2/token and https://accounts.google.com/o/oauth2/auth endpoints to generate one programatically, but the only minor success I had was /auth sending me to a consent screen. I've also looked at using the refresh token given by Google Oauth playground with no luck there either.
Just looking to see if there is anything that I am missing.. This is my first post on stackoverflow, so please let me know if you need any more information.
I was unable to make it an internal app as it was for personal use and not for an organization.
Solved this by first using the google api package to create my own access/refresh token for my oauth client, then calling the https://oauth2.googleapis.com/token endpoint each time to generate a valid access token. I hope this can be helpful to someone else!
According to the setup documentation, as long as your app is marked as internal, you should not need to verify the app and can use it without the consent screen.
I have created an app that generates user api keys using a discourse site. They are returned as an encrypted payload as a parameter within the return url.
Initially I was using WebView which worked fine but wouldn't allow users to login using Google due to security risks and this is a very important part of the app. I need to be able to read the payload parameter and store that in the app for making API calls.
I have tried multiple NativeScript plugins including AdvancedWebView, AwesomeWebView and investigated many others that don't seem to reach my requirements.
Is what i'm asking possible in NativeScript-Vue? If not how would I do it?
A few web-based applications I maintain have been using JavaScript on the page to fetch posts from Instagram* through their API, only authenticating with a client_id. With the Instagram API changes recently (applications are sandboxed until approved) this no longer works.
Is this kind of application allowed by Instagram? Or is it considered a security risk to expose the client_id in the Javascript that performs the request? If it matters, the application is for internal use by a few employees only.
* Specifically, the 10 last posts from a fixed user.
All instagram API endpoints now require a valid access_token rather than client_id. The search endpoint is an example of one that didn't previously require an access_token. You can find this in the Change logs
All API endpoints require a valid access_token
All API endpoints require a specific permission scope granted by the user
You can authorise your own account and grab the last 20 posts, but for any more than that you will need to submit your app for review
Try to create a new app.. My app was deleted instead of going to sandbox mode.
As you need 10 last posts, this should work on sandbox mode.
Content Display for Personal Website. If you are a developer and you want to showcase Instagram content on a website, then you do not need to submit your app for review. By using a client in sandbox mode, you will still be able to access the last 20 media of any sandbox user that grants you permission.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)