I'm currently working on a VSTS Application, but every time I try to Login using my Visual Studio account, it keeps showing the Authorization dialog again. I have to re-authorize my App every time, which keeps generating authorizations on my Visual Studio profile, where the App is registered.
I'm using the OwinOauthProvider for Visual Studio.
https://github.com/TerribleDev/OwinOAuthProviders/tree/master/src/Owin.Security.Providers.VisualStudio
Is there any way to configure to provider to just authorize once and use the authorization for subsequent logins? Or any other suggestions to create a single-sign on from my App and connect to the VSTS Api's?
UPDATE:
Additional links on the issue:
https://github.com/TerribleDev/OwinOAuthProviders/issues/135
https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/9261621-bypass-oauth-grant-step-for-previously-authorized
(vote for it if you're experiencing the same)
There is access token and refresh token, the access token will be expired after an hour, but the refresh token will be expired after one year.
So, you can refresh the access token according to the refresh token instead of let user to authorized again.
Based on this thread (VSTS API Refresh Token Expires), Christopher said that:
We obviously must honor the user's right to revoke a previously
granted authorization
Update:
I analyzed the whole workflow, that is by design, when you request the VSTS external login, the accept page is required, you can’t control it in your code or other ways.
Related
I am unable to login to my Visual Studio 2019 and I get the warning message We need to refresh the credentials for this account
Based on input from Visual Studio 2017 - How to fix error: We could not refresh the credentials for the account , I have deleted the folder "C:\Users\{username}\AppData\Local\.IdentityService" but it did not resolve the issue
I have checked the logs and I see below message
AcquireTokenException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
I am using Microsoft Authenticator app to authenticate the request but refresh error keep pops in even though I successfully authenticate myself.
Note: I have ZScalar as firewall. I have even tried switching off ZScalar, but no luck
I created a virtual assistant with the ITSM skill attached with Token Authentication enabled and the bot runs well when using direct line through a browser.
Next, I added it into Teams and after a bit of troubleshooting, I got it working. I authenticatee and could interact with the VA and the Skill. The next day however, I was unable to get the bot to prompt for authentication and by then my token authentication had expired. Next, to verify I have a fix for this issue, I found if I completely cleared my MS Teams cache and my browser directories via the url below, my authentication request prompted this time and I was again able to login and the bot worked correctly. So my question is, what causes the token in teams to not be able to reprompt, can this be fixed and or is the right way to do authentication in Teams to use a Single Sign On solution and if so how does one do that in Teams with a Virtual Assistant from the botframework?
https://commsverse.blog/2018/09/28/clear-the-microsoft-teams-client-cache/
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I've integrated Spring Security OAuth in my JAVA backend so that my mobile Android application (using the Facebook Login SDK) can benefit from Facebook Login. In the current flow, the APP uses Facebook Login SDK to fetch an access token from Android, and then passes to the JAVA/Spring backend. Then, another OAuth access token (specific to our backend) is issued and sent back to the application.
I wish I could automate the testing, in other words being able to generate fresh Facebook access tokens. And then test the whole stuff into the access to resources on my backend. My entry point is a Facebook access token.
I've failed in generated on-the-fly access tokens, then looked into never expiring tokens, I could hard-wire in my tests.
However, I've failed in generating never-expiring tokens : at best, changing a short-lived token to a long-lived token returns a token valid for 2 months only.
I've also tried https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxxxx&redirect_uri=http://www.xxxx.com&granted_scopes=email,public_profile , but this only works when my cookies are available (only works from my web browser).
Also tried getting a device code, but I was stuck at the point where I had to "simulate" the user submitting the code into the web form.
Is there a known way to automate the testing ?
As #The1Fitz explained, "you cannot get a never expiring token anymore. You will need to make do with the maximum 2 month expiry date."
So I have CRM Online and SharePoint Online as document storage. I have the list component installed and everything is working there. I have a plugin I have built which generates emails, and as part of the process, grabs documents from various SharePoint folders and attaches the to the email before sending.
To do this in a SharePoint online environment, I have to go out, grab a SAML token from MS's login STS service, pass the token to SharePoint, receive a couple of authentication cookies back, and pass those cookies along with any requests I make to SharePoint. All of this is working. The bad news is I have to have a username and password hardcoded in (or prompt the user). Is there any way from inside CRM Online to grab the current user's credentials and pass that to get the SAML token? I mean there has to be since CRM does it when you create the document libraries when you turn on Document Management, right?
I can't use the SharePoint dlls inside CRM Online plugins, it is security restricted. I cannot access the CredentialCache, security restricted. Hell, I even looked at trying to intercept the cookies somehow with Javascript, but it looks like they are HTTPOnly and pretty much inaccessible.
Tried putting in a Microsoft ticket and got some low level guy who immediately passed the buck and called it unsupported.
You can't get user's password in CRM. If you are developing a plugin, the plugin can run in the user context and the code will execute based on the logged in user. Therefore you don't need to pass any creds for adding a document in CRM.
Check out this url, it helps you understanding how impersonating works in CRM.
https://msdn.microsoft.com/en-us/library/gg309416.aspx
Hope this helps.