I am working on an outlook addin to set signature. I'm trying to obtain the access token using the code below, I need to use the token to access Microsoft graph api to access logged in user content:
Office.initialize = function (reason) {
Office.actions.associate("onMessageComposeHandler", getToken());
};
function getToken(){
try{
let accessToken = Office.auth.getAccessToken().then((res)=>{
console.log(res)
})
}catch(error){
console.log(error)
}
}
I have been trying different ways as indicated in the documentation and other solutions either it displays an error that another request has been made and currently it is displaying this error, any ideas on how to solve this issue will be highly appreciated:
OSF.DDA.ErrorĀ {name: 'Error occurred in the authentication request from Office.', message: 'An unexpected error occurred in the client.', code: 13006}
I have enabled the SSO as outlined Enable single sign-on (SSO) in an Office Add-in. The addin is already configured in a microsoft test tenant. I'm still getting the same error, I have also tried to change the code as in the documentation:
async function getToken(){
try{
let accessToken = await
OfficeRuntime.auth.getAccessToken({allowSignInPrompt:true})
console.log(accessToken)
}catch(error){
console.log(error)
}
}
You need to enable SSO in the add-in, see Enable single sign-on (SSO) in an Office Add-in for more information. Be aware, you need to grant administrator consent to the add-in. This procedure is only needed when you're developing the add-in. When your production add-in is deployed to AppSource or the Microsoft 365 admin center, users will individually trust it or an admin will consent for the organization at installation.
Related
Currently, I'm developing an app service using Microsoft M365 authentication. The problem comes when the user has already logged out, but the token provided by Microsoft is still valid, and can still be used to access my backend API. I've tried to revoke it using Microsoft graph
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
await graphClient.Me
.InvalidateAllRefreshTokens()
.Request()
.PostAsync();
But another problem is that all my sessions are revoked too, so is there any way to implement a blacklist to store the token? I can only use MSSQL Server to store data.
I was trying to add outlook calendar api (create event) to my web app but stuck on an error of unauthorization. So I guess it might be the reason that I did not add permission?
This is my ajax function:
function addEvent(){
var newEvent = {};
newEvent.subject = document.getElementById('event-name').value;
newEvent.body = document.getElementById('event-des').value;
newEvent.start = document.getElementById('start-time').value;
newEvent.end = document.getElementById('end-time').value;
newEvent.location = document.getElementById('location').value;
console.log(JSON.stringify(newEvent));
const xhttp = new XMLHttpRequest();
xhttp.open("POST", "https://graph.microsoft.com/v1.0/me/events", true);
xhttp.setRequestHeader("Content-type","application/json");
res.setHeader('prefer', 'outlook.timezone="Pacific Standard Time"');
xhttp.send(JSON.stringify(newEvent));
}
But I got an error of unauthorized to make post request to https://graph.microsoft.com/v1.0/me/events. Can any one point out what I am missing here? I am very new to this, any help would be appreciated.
Learn how to authenticate and work with permissions to securely access data through Microsoft Graph. Explore the documentation below to learn about app registration, authentication libraries, authorization, and other parts of the Microsoft identity platform that support Microsoft Graph development in the Microsoft Graph auth overview section for more information.
I try to use google provider to log in to my angular nativescript app. My web app works properly, for mobile added SHA-1 to firebase console.
I have two problems:
After try to log in with google provider firebaseWebApi.auth().onAuthStateChanged not fired (login function returns User properly).
When Sign-in with google provider is not possible I try to simply log in with firebaseWebApi.auth().signInWithEmailAndPassword(), but I have an error message: "Logging in the user failed. com.google.firebase.auth.FirebaseAuthRecentLoginRequiredException: This operation is sensitive and requires recent authentication. Log in again before retrying this request."
It's weird because without trying to log in with google provider, signInWithEmailAndPassword works properly.
public async startLoginGoogle(): Promise<firebase.auth.UserCredential> {
const user = await firebase.login({
type: firebase.LoginType.GOOGLE
});
// user with getIdTokenResult() is available here
return user.getIdTokenResult();
}
firebaseWebApi.auth().onAuthStateChanged((user: firebase.User) => {
// nothing
subject.next(user);
});
Any idea?
I am trying to implement server-to-server integration with Dynamics CRM Online 2016 and BizTalk 2013 R2. I am using the WebHttpBinding to call the CRM web API, which requires a bearer token supplied as an http header:
Authorization: Bearer [base64string]
I have written a client message inspector which calls Azure AD using ADAL to acquire an access token. This is secured with a client assertion certificate, which is assigned to the registered app in our AD tenant:
var token = context.AcquireTokenAsync(this.ResourceUri, assertionCert).Result;
ResourceUri is https://[myorganisation].crm4.dynamics.com
assertionCert is a ClientAssertionCertificate created using the app registration application ID and an x509 certificate in the machine certificate store that is registered to the app as a KeyCredential
This 'works' in that it returns a token and I can decode this token to inspect the claims - there are a fair number of them, I have no way of telling whether this is the set of claims that CRM requires.
The AD app registration is configured with delegated permissions to the CRM instance.
I have set the application ID in the CRM local user to that of the app registration.
Upon calling the webAPI and supplying this token, CRM responds with 401 unauthorized.
I have repeated the same process in a powershell script and in PostMan, all of which appear to show the same behaviour.
What else am I supposed to do to make CRM accept my access token?
edit #1: Tried hardcoding the authority URI to https://login.windows.net/[my-tenant-id]/oauth2/token rather than what comes out of dynamically acquiring the authority through AuthenticationParameters - this is the same value except ending with /authorization instead of /token. This makes zero difference.
edit #2: An administrator I am working with pointed out to me that the application user I am expecting to use had no user roles assigned - this has been amended to have a role which should allow API access, but this also made no difference.
edit #3: Set oauth2AllowImplicitFlow to true in the manifest for the app registration. This doesn't make any difference.
edit #4: Made some progress by creating a new app registration, this time as a Native app rather than a web app. I managed to get a token using a client secret, and this was accepted - BUT when assigning a certificate to the app, and presenting a ClientAssertionCertificate as before, I get the response from the authority:
Error validating credentials. AADSTS50012: Client is public so a client_assertion' should not be presented.
WHY? What does 'Client is public' mean? Just work!
Hrrrmph!
Turns out that the original situation I had tried and failed with, now works.
Web application registration with delegated permissions to CRM Online
Install a client certificate on the client machine, and register this same certificate to the app using New-AzureADApplicationKeyCredential
Link the app registration to a CRM Application User created for this purpose (they are fundamentally different to interactive users) - n.b. this screen is not easy to find
Call AcquireTokenAsync() from ADAL
Just works
I am at a loss to explain why this didn't work the first time I tried it, as CRM doesn't supply any information as to why token validation failed.
Where I work we use Google Apps for Work. For the last 9 months we've been using the Gmail API (~2,000 requests per day) to pull in new emails for our support email accounts.
This is how we originally set it up:
Go to https://console.developers.google.com/project/
Click on the project (or create a new one)
Click on API's & Auth
Click on Credentials
Click on Create new Client ID
Click on Service account
Download a JWT (json) for the account.
Follow the node.js quickstart guide with an installed/native type token for the same account, and authorize it through the console. The JWT tokens did not work unless we did this step, once for each account.
We did this for each of our individual support email accounts to avoid having to turn on domain wide delegation for any of them in the admin console. We were then able to authenticate with the tokens using the officially supported npm library googleapis, similar to this:
var google = require('googleapis');
var jwtClient = new google.auth.JWT(
token.client_email,
null,
token.private_key,
['https://www.googleapis.com/auth/gmail.readonly'],
'supportemail#mycompany.com'
);
jwtClient.authorize(function(err, tokens) {
if (err) {
return cb(err);
}
var gmail = google.gmail('v1');
var requestOptions = {
auth: jwtClient,
userId: 'me',
id: messageId,
format: 'raw'
};
gmail.users.messages.get(requestOptions, function(err, response) {
if (err) {
return cb(err);
}
// do stuff with the response
});
});
Like I said, we used this for a long time and never had any issues. Yesterday around 10am MST every one of the accounts stopped being able to authenticate at the same time, with jwtClient.authorize() suddenly returning the error [Error: unauthorized_client].
I tried doing the same thing with a new token on a new service account (the web interface to get the token has changed quite a bit in the last 9 months), and it returns the same error.
The version of googleapis that we were using was 0.9.7, but we can't get JWT authentication to work on the newest version either.
We opened a ticket with the Google APIs support team, but the support person we spoke with had never read the Gmail API specs before and was ultimately unable to help us, so he redirected us here in order to get in touch with the API engineering support team.
We have noticed that authentication works if we enable the scope for domain wide delegation in the admin console, but we would prefer not to do that. We don't need to impersonate the accounts and would prefer to use an individual JWT for each account.
It turns out that the auth flow we were using was never supported, and probably was broken due to a bugfix on Google's part.
In the question comments #Brandon Jewett-Hall and #Steve Bazyl recommended that we use the installed app auth flow instead, as it allows for indefinite refreshing of access tokens and is supported.
More information about the different auth flows can be found in the Google API docs.