How can I use MSAL to access Microsoft Graph using Azure AD with implicit grant?
I've got Azure registered application with oauth2AllowImplicitFlow enabled and I'm trying to call userAgentApplication.acquireTokenSilent but I keep getting an error "User login is required".
I'm calling it from Sharepoint online app, so I'm already logged in to 365 services.
Is there any sample for such scenario?
Here is a sample of how to use MSAL with Azure AD to call the Microsoft Graph (includes Sharepoint, Exchange, and several other workloads). To checkout how to do this, checkout the MS Graph Docs.
The error you're getting is caused by using acquireTokenSilent without a signed in user. MSAL has two primary functions: acquireTokenSilent and acquireToken. The former is a guaranteed silent request (will never show a sign in page to the user), and will fail if it cannot do this successfully. The latter will always show a sign in page to get new tokens for a user.
The pattern recommended is to attempt an acquireTokenSilent function call, and then upon failure attempt an acquireToken. This avoids unnecessary sign ins, but also doesn't get your app in a state where it cannot perform authenticated operations.
Related
I'm working on a Teams Tab that requires access to my own external API, however I'm having difficulty understanding the best way to achieve authentication in the context of a Tab.
My API uses the standard OAuth2.0 workflow for getting an access token, but from the Teams Tab context it's unclear where I can safely store the access token after completing the OAuth flow. Also, I need to safely store the client secret for my API so that it's not visible in the client-side code.
So far I've tried using ADAL.js and the examples in https://github.com/OfficeDev/microsoft-teams-sample-complete-node without any luck.
I'm assuming I need to authenticate my API through the Azure AD but I'm unable to find where I'd register the my API's client id/client secret to be used by the above libraries. Is there a standard pattern used by Teams developers to safely + securely handle this type of authentication?
I created a virtual assistant with the ITSM skill attached with Token Authentication enabled and the bot runs well when using direct line through a browser.
Next, I added it into Teams and after a bit of troubleshooting, I got it working. I authenticatee and could interact with the VA and the Skill. The next day however, I was unable to get the bot to prompt for authentication and by then my token authentication had expired. Next, to verify I have a fix for this issue, I found if I completely cleared my MS Teams cache and my browser directories via the url below, my authentication request prompted this time and I was again able to login and the bot worked correctly. So my question is, what causes the token in teams to not be able to reprompt, can this be fixed and or is the right way to do authentication in Teams to use a Single Sign On solution and if so how does one do that in Teams with a Virtual Assistant from the botframework?
https://commsverse.blog/2018/09/28/clear-the-microsoft-teams-client-cache/
We have an application hosted in GCP which uses GSuite APIs to sync users from GSuite to our application and visa-versa using Service Account. It used to work well until recently some of our customers started facing issues.
We started getting
401 unauthorized. "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There as been no change in our application and neither in the list of permissions granted. Following are the list of api access granted :-
https://apps-apis.google.com/a/feeds/domain,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.user,**
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.metadata,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/drive.apps.readonly,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/drive.scripts
The affected GSuite domains were working perfectly until yesterday. Also there are some domains which still work without any problem.
Can somebody please suggest what could the problem be. Is there any change in the APIs recently? Any help will be much appreciated.
"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There are several ways to authenticate to Google.
web based applications
native applications
mobile applications
and service accounts
The clients you create for these types is different as is the code to use them. The message you are seeing above means that the code you are using does not match the type of client you have created.
Make sure your code is designed for use with service accounts and make sure that the credentials file you have downloaded from google developer console is in fact credentials for a service accounts.
Why it worked previously and suddenly stopped i cant tell you this is an error you will always get if your code does not match your credential type.
The last option would be to double check that all of those apis are enabled in the Google developer console for your service account project.
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I'm using the Google's PHP API Client, release 1.1.6.
We have a company Google account which controls our many Google Analytics account as well as our Google Developer apps.
I'm working on an app accessing our Google Analytics, using a Service Account set-up. I'm using the same code provided here:
https://developers.google.com/api-client-library/php/auth/service-accounts#delegatingauthority
$credentials = new Google_Auth_AssertionCredentials(
$client_email,
$scopes,
$private_key,
'notasecret',
'http://oauth.net/grant_type/jwt/1.0/bearer',
$user_to_impersonate,
);
In this case $client_email is the App Service Account client (random-chars#developer.gserviceaccount.com) and $user_to_impersonate is our company's Google Account.
As of a couple days ago this was all working correctly, and I could access all our Google Analytics accounts through the API after the above authentication. As of yesterday, I'm getting this error:
Error refreshing the OAuth2 token, message: '{
"error" : "unauthorized_client",
"error_description" : "Unauthorized client or scope in request."
}'
With the $user_to_impersonate parameter removed the authenticated works without error. However, I've been using the $user_to_impersonate as we have several hundred GA accounts and the Service Account client is not a permitted user on them (and would have a limit of 200 accounts anyway).
I couldn't find any recent updates to the way Google Dev's authentication works, but maybe I'm missing something.
Any ideas?
UPDATE: Apparently this was a temporary error with Google's overall API, and is now fixed:
https://github.com/google/google-api-php-client/issues/891
UPDATE 2: Wasn't a temporary issues after all. The solution, if others need, is listed here. Basically giving your app perpetual access to the given account/scope.
https://github.com/google/google-api-php-client/issues/801#issuecomment-171417538
Google probably changed the handling of service accounts and this doesn't work anymore. It's not related to specific Google API client (PHP) nor specific API (Analytics), but it seems to me as a general change which affects everything.