I am using the OAuth capability in Azure Bot service to access the Microsoft Graph.
I have the need to communicate with the SharePoint Online REST endpoint. Typically, I would request and cache a refresh token from AAD, then use that refresh token to acquire a second access token, specifying the sharepoint.com address as the resource.
When using the OAuth connections in the Azure Bot service, I can get an access token by calling the GetUserToken method of the dialog context. However, I cannot get the refresh token from the bot service.
Q: Is the refresh token exposed as part of the BotBuilder library, or in some other fashion?
You must include the offline_access scope on your OAuth Bot configuration and on bots API permission within your Azure bot registration (Go to AAD - Application Registration (Preview) - API Permission).
Otherwise the bot service will not be able to refresh the token when it expired after 60 minutes by default.
For more information's on scopes see here.
Further explanation:
Without the offline_access scope included in the token request, the refresh token is not submitted and only an access token is provided. With the scope included, a refresh token will be provided to the caller which (in this case the bot service) can use to acquire a fresh token at any point until the refresh token itself expires.
Related
I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)
I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?
The username that they use to login with MSAL also exists in my backend, the flow would be something like this;
User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user
It appears golang integration with MSAL is limited, so not sure how possible this is.
Thanks.
What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.
Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.
For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.
We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/list#errordetail
We have done all of the configs mentioned:
Registered a multi-tenant web app with Azure Active Directory for OAuth using App Registrations option,
Also enabled the https://management.azure.com/user_impersonation scope under Azure Service Management
Same scope is requested by the web app
So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.
I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.
What might be the problem?
It's important to add scope with https://management.azure.com/user_impersonation when requesting for an access token.
Test using implicit grant flow in browser:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<your-app-id>
&response_type=token
&redirect_uri=<your-redirect_uri>
&scope=https://management.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Note: If you use client credentials flow, change scope to https://management.azure.com/.default.
I have created an API in Azure API Management to get data from a backend API. The backend API uses oAuth2 with an access token that expires in 10 minutes. With a returned refresh token you can get a new access token, which is again valid for another 10 minutes. And so on.
In the development portal of Azure APIM it is possible to do the authorization, which gives access for 10 minutes. After 10 minutes you have to do the authorization manually again, in order to get another 10 minutes access.
Is there a way in Azure APIM to automatically get a new access token, using the refresh token?
My goal is that the user does the authorization once manually in the development portal and after that the access token has to be refreshed automatically.
Only manually through send-request policy. Could also use caching policies to keep token in cache and don't fetch a new one for every request.
I am implementing OAuth 2.0 in Laravel5 for one of my web services project to protect my api endpoints.
I am using password and refresh token grants.Everything is working fine, but I am wondering what if my refresh token is lost during its transaction from server to device, like if internet is disconnected and device doesn't get any refresh token so how it will generate a new access token to perform actions.
You would have to login again? (user credentials)
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).