Programmatic access to Azure AD SSO enabled SaaS app data - javascript

I have enabled SSO using Azure Premium AD with Google Apps, i can login to Google apps when I go to browser and click my apps however I need to get data programmatic after I login into O365. Instead of clicking my apps i need to use a programmatic snippets (ex., javascript) query some data from google apps or any configured SaaS based apps.

You can try to use adal for js to authenticate and authorize your users. You can write a initialization functionality in your client application using javascript. When the document is loaded, check whether the user is signed in, if so, call your additional APIs, if not, use adal to login.

Related

MFA Client for Microsoft Graph without AAD Registration

Using a simple C#/WPF application and the SharePointPnPCoreOnline I can call the GetWebLoginClientContext() method which opens up a window for the user to authenticate via MFA to a given SharePoint site. From that point on I can query the SP site based on the users level of access. The convenient thing about this approach is that I don't have to register my WPF application with Azure AD, give it permissions, get a client ID, client secret, yadda yadda yadda.
Is there a library that will similarly allow me to authenticate a user via MFA so that I can access the Graph API based on their permissions without the AAD app registration requirement from a C# client application? How about a JavaScript application?
This is not possible, to access the graph api, (for a work or student account) there must be an app registration to give you permissions to those endpoints. even the "graph explorer" has a registered application.
Even with your sharepointpnpcoreonline, that likely authenticates against an app registration/service principal, its just that its microsoft trusted app registrations, so it's hiding it in the background from you. if you were to check in your azure ad enterprise applications under microsoft applications, there are various service principals for sharepoint online for example.
Long and short of it is that you need to have an app registration/service principal to access graph api endpoints. you don't necessarily need a client secret though, as that depends on your specific application and the authentication flow you choose to use in your app registration.

Google oAuth - validate user in JS, but use in C#

We have a web application that needs to synchronize scheduled events with a user's Google calendar. A Windows service will add/edit/delete Google calendar events for the user.
We are considering...
In our web app we authenticate the user with the Google oAuth2 JS libraries
Collect a token once the user has allowed our app to work with their calendar
Save that token server side, so a Windows service can then update the user's calendar.
Is this workable? Also, how do we renew expired tokens?
This article explains how to do it.
https://developers.google.com/identity/sign-in/web/server-side-flow
TL;DR

Youtube Analytics Offline Access Request when Authenticated as Brand instead of User

Apps Script keeps asking for offline permission with Youtube's API
In Google Apps Script, access to YouTube Reporting API is Forbidden
These are very similar questions however, I am logged in as the owner. The script is in the owner's drive.
My problem
I have been trying to access YouTube Analytics Reports from the Content Owner using GAS(Google Apps Script). There are two accounts a Brand account (holds the data i.e. the video content) and a User account. They both use the same credentials(email & pwd). When authorizing as the user, I get a 403(forbidden). When authorizing as the brand, I am asked to authorize offline access again and again, stopping me from ever being able to make a request.
What I've tried...
Running from Node, using OAUTH Playground tokens, and it works. But I need to stick with GAS.
Using google-script-oauth2: to hard code credentials (similarly to the Node solution) but I couldn't set the refresh token. I got a 401(invalid credentials) - I believe the bearer token was expired
Setting up credentials for and enabling both youtube and youtube analytics APIs
scrapping old credentials and attaching a new project to GAS
removing auth in privacy settings and re-authenticating
toggling a use unsafe scripts option and repeating step 3
switching between contentOwner and channel parameters for the ids param
NOTE: I have two OAUTH2 credentials app script and the web client both are set as Web Applications.
GAS Code
function test(){
YouTubeAnalytics.Reports.query("contentOwner==id", "2017-03-01", "2017-03-31", "likes");
}
Final Thoughts
I believe there is a disconnect between the Brand and the user such that the brand is not given the same access to the OAUTH 2 token. Therefore, it never generates a refresh token. So, the request sees that I am the authorized channel owner but it can't finish the OAUTH flow.
If this is true, why, and how do I fix it? If not, what do you think could be the error?
I just realized the script is in the user account and not the brand account. Would that affect the validation?
Also on the actual channel, the user is listed as the Primary Owner.
I think the problem has to do with Apps Script's limited OAuth scopes. Open the Script Editor and navigate to Resources->Advanced Google Services and you'll see that YouTube's Reporting API is not supported. However, you can get around this by using Service Accounts. They are a pain to set up but once you get them up and running you can explicitly request the scopes required to make authorized calls on the API from GAS.
Here are a few links to get you started:
Using OAuth 2.0 for Server to Server Applications
OAuth 2.0 Scopes for Google APIs
For Using OAuth 2.0 for Server to Server Applications you'll want to scroll down to the section titled Preparing to make an authorized API call. Select the HTTP/REST tab and it should walk you thru the steps you'll need to setup a service account (you'll need to create a JWT - JSON Web Token from your Google console for use in your API calls). You'll also need to retrieve the needed OAuth scope urls for YouTube's Reporting API from the second link provided. Once you're all set up you'll be able to make requests to the API directly from Apps Script using URLFetchApp. Best of luck with your project.
One more thing. Check out Google's API Explorer listing for the YouTube Reporting API. You can get the URL endpoints (and request methods) you'll need to use in your UrlFetchApp calls by playing with the Explorer.
UPDATE 4/28/2017
Also be sure to enable the YouTube Reporting API from your Google API Console.

How to implement Facebook Social Login in Hybrid application?

I was planning to use Facebook Social Login in my Hybrid application ( HTML5/CSS/JS and Cordova) However on going to facebook developer I could not see an option for choosing cordova based app.
So shall I consider www , i.e. Javascript based SDK for implementing facebook social login?
From security point of view, is it good choice to choose JS SDK in hybrid application?
Thanks!
Yes, you can choose www for create app for hybrid platform and you just need to set the App id into application so if someone decompile your app they just get an App Id and nothing else, other all things are saved into your developer facebook account.
So you can create your app with this www without worrying about the security of an app.
Also you can create Facebook login with the simplest use of OpenFB,
You just need to create Facebook API from Facebook Developer Account
And Pass the App ID into javascript file of facebook login function.

Call an office 365 authenticated web api from a sharepoint page javascript

I have a scenario that I think should be fairly simple, yet I'm not finding a solution and wondering if someone can point me in the right direction.
The setup:
1) SharePoint online website (user must be authenticated to see page)
2) .NET MVC Web API service endpoint (user must be authenticated to get data from the service)
Both of these authenticate using the same Azure Active Directory. The Web API has been registered in Azure AD.
The problem:
I would like to put some javascript on a SharePoint Online page (not a Sharepoint Add-in, not an AngularJS SPA) that will make an AJAX call to the Web API using the logged in user's credentials without any kind of user prompt (since this is an ajax call, the user won't see the prompt anyway).
I've tried looking into the ADAL libraries, but all the JavaScript ones I can find require the use of Angular and require the user to authenticate a second time. I've found some documentation using OAuth 2.0, but (from what I can tell) require you to get the client to authorize the Sharepoint Online page to act on their behalf - which the user will not be able to consent to because it's an AJAX call and the consent page is not displayed in the browser (and it's still doing this despite having the app already approved by an administrator in Azure AD).
It seems to me the user shouldn't have to leave the SharePoint page and shouldn't have to enter their credentials a second time. I believe there should be some way that the log-in to SharePoint Online should also be able to be used as the log-in for our in-house app.
If someone could just point me in the correct direction, I would be very much appreciate it. Thanks in advance.
Normally, if we call the resource which protected by Azure AD, we need to authorize the app via OAuth 2.0.
Were you able to put a hidden iframe in the SharePoint online page? If it is possible, then we can use the Azure AD implicit flow get the token through iframe, and we can call the REST which protected by Azure AD via the token return by iframe. To enable the implicit flow, we need to download the application manifest from Azure portal and switch ‘oauth2AllowImplicitFlow’ to true.
And if you were only developing a single tenant which doesn’t require users to consent the app. Here is the HTML code request the token from a Iframe for your reference:
<iframe width="0" height="0" id="oauthHideIframe" src="https://login.microsoftonline.com/{tenantId}/oauth2/authorize?response_type=token&client_id={Client_Id}&redirect_uri={redirect_Url}&resource={your web api app url register on the protal}"> </iframe>
And to pass the token from iframe to the parent window, we can use the window.postmessage which allow the corss-orignal communication.

Categories

Resources