I looked at Google's OpenId Connect discovery document here. It clearly shows that the supported Claims are:
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
]
and the supported Scopes are
"scopes_supported": [
"openid",
"email",
"profile"
]
I would expect that when I send a GET request to the OpenId Connect UserInfo end point (which is https://www.googleapis.com/oauth2/v3/userinfo) that I would get back all of the supported claims (assuming that when I authenticated I requested all of the supported Scopes... which I did when I send the initial request as shown below)
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=my-client-id&redirect_uri=http://myapp.com&scope=openid profile email&state=someLongStateIdentifier
Here are the claims I got in the response from the UserInfo end point request:
{
"sub": "...",
"name": "...",
"given_name": "...",
"family_name": "...",
"picture": "...",
"email": "...",
"email_verified": true,
"locale": "..."
}
Notice how they are a subset of all of the supported claims... Can anyone tell me why I am not getting all of the supported claims in my response?
You won't always get back all of the supported claims. Supported claims means exactly that - they're supported. What determines if they're returned from the userinfo endpoint or not is if your user has values for those associated claims. Also, Google could also be filtering out claims that aren't directly related to the user... because after all it's the userinfo endpoint.
Related
I have a incoming webhook that I sent a messageCard with several actioncards. I know how to post the data and value back to my server endpoint. I need to get the username of the user who pushed the button to submit the httppost. Here is the actioncard part of the code. It works. I just need to also know who submitted it, the MS Teams username.
{
"#type": "ActionCard",
"name": "Skip",
"inputs": [{
"#type": "TextInput",
"id": "skip",
"isMultiline": True,
"title": "Add a skip reason here"
}],
"actions": [{
"#type": "HttpPOST",
"name": "skip",
"target": "",
"body":"{"action":"skip","body":"{{skip.value}}}"}"
}]
}
Currently UPN is not sent part of the JSON body/payload, however it can be retrieved by decoding JWT token in Authorization header part of sender verification:
Service can validate the JWT and then extract claims and get the UPN as per below:
Security requirements for actionable messages - Outlook Developer | Microsoft Docs.
Also if you go through the Connector documentation, you’ll see that the ‘sub’ parameter contains the Azure AD object ID. You can then call Get users Graph API to get the user details from AAD Id.
Here is an example of when I authenticate using directline.
{
"user": {
"id": "string",
"name": "string"
},
"trustedOrigins": [
"string"
]
}
1. user.id string Optional. Channel-specific ID of the user to encode within the token. For a Direct Line user, this must begin with dl_. You can create a unique user ID for each conversation, and for better security, you should make this ID unguessable.
2. user.name string Optional. The display-friendly name of the user to encode within the token.
Now, I would expect that the token I receive has the id and the name inside which it does.
Here is an example of the token response:
{
"bot": "my-bot",
"site": "ddddddd",
"conv": "xxxxxxxxx-j",
"user": "77777777777",
"username": "{\"first\":\"Christian\",\"last\":\"Matthew\"}",
"nbf": 1592789668,
"exp": 1592793268,
"iss": "https://directline.botframework.com/",
"aud": "https://directline.botframework.com/"
}
Now, when I use this token to start a conversation the token works as epected.
The error comes or unexpected return is when I send an activity to that conversation. The from is the correct id userId but the name isn't there.
Is it there in the bot communication? I would like for the name field to be there. Perhaps it is just not posted in the front-end client message return.
Here is an example of the message that is returned.
message received:
{
"activities": [
{
"type":"message",
"id":"DtjXwD1VvG7Eu69LR5ZL31-6|0000002",
"timestamp":"2020-06-22T01:58:16.379228Z",
"serviceUrl":"https://directline.botframework.com/",
"channelId":"directline",
"from": {
"id":"77777777777"
},
"conversation": {
"id":"DtjXwD1VvG7Eu69LR5ZL31-6"
},
"recipient": {
"id":"xxxxx-xxxxx-bot#2MnpO8SotMQ",
"name":"xxxxx-xxxxx-bot"
},
"text":"xxxxxxx xxxxxxx"
}
]
}
The id is all that comes through. Is the userName or name available inside of the bot service? I need to capture that.
UPDATE: Add reference to the directline conversation starter token.
POST https://directline.botframework.com/v3/directline/conversations
Authorization: Bearer SECRET_OR_TOKEN
I have an Outlook add-in with ReadWriteMailbox permissions that calls Office.context.mailbox.getCallbackTokenAsync({isRest: true}) to get what is generally a valid auth token:
{
"oid": "oid",
"puid": "puid",
"smtp": "xxx",
"upn": "xxx",
"clientappid": "3382ce5c-ed22-4195-aeca-c5b67384706f",
"ver": "Exchange.Callback.V2",
"appid": "00000002-0000-0ff1-ce00-000000000000",
"deploymentid": "https://outlook.office365.com/",
"tid": "tid",
"acr": "1",
"appidacr": "0",
"scp": "Mail.ReadWrite Mail.Send Calendars.ReadWrite Contacts.ReadWrite",
"nbf": 1588259750,
"exp": 1588260650,
"iss": "https://outlook.office365.com/",
"aud": "a_vanity_url",
"happ": "API"
}
In Outlook for iOS, I am now seeing this exception in a handful of environments:
{
"readyState": 4,
"responseText": "omitted_for_redundancy",
"responseJSON": {
"error": {
"code": "InvalidAudienceForResource",
"message": "The audience claim value is invalid for current resource.
Audience claim is 'a_vanity_url',
request url is 'https://outlook.office365.com/api/v2.0/me/messages/a_message_id'
and resource type is 'Exchange'.",
"innerError": {
"requestId": "requestId",
"date": "2020-04-30T15:15:51"
}
}
},
"status": 401,
"statusText": "Unauthorized"
}
The common theme seems to be whenever an MDM/MAM is configured (usually Intune), and it's happening across all managed devices on the tenant, and continues to fail until a device is unregistered and its Outlook accounts are removed and re-added.
Is there something I can do differently when I request an auth token to prevent this failure? Or is there a device management setting that Outlook for iOS requires to run add-ins?
Thank you for reporting and it seems like it is not an addin issue. Can you please raise a support case with Intune by going to Link, navigate to "Troubleshooting + Support". The corresponding team will address the issue.
The workaround here is just to use the vanity domain returned in the JWT's audience claim as the API URL base instead of the value returned by Office.context.mailbox.restUrl.
When using a legacy token in slack I want to determine which user account owns this application. The information is not directly in the bot.info:
{
"ok": true,
"bot": {
"id": "foobar",
"deleted": false,
"name": "Slack API Tester",
"updated": 123456789,
"app_id": "A123"
}
}
Could I use the bot.id or bot.app_id objects to find who owns this application? If so which api call would I use.
To determine which user owns any token (incl. legacy token) just call the auth.test endpoint with that token. You will get the user ID and name of the token owner.
Example response from documentation:
{
"ok": true,
"url": "https://subarachnoid.slack.com/",
"team": "Subarachnoid Workspace",
"user": "grace",
"team_id": "T12345678",
"user_id": "W12345678"
}
If you need more info about the user you can call users.info for that user with his ID. Since you are using a legacy token you will have the necessary permissions.
I've found the following documentation on how to send email using Office 365 rest API.
This is the example given on the doucmentation:
POST https://outlook.office.com/api/v2.0/me/sendmail
{
"Message": {
"Subject": "Meet for lunch?",
"Body": {
"ContentType": "Text",
"Content": "The new cafeteria is open."
},
"ToRecipients": [
{
"EmailAddress": {
"Address": "garthf#a830edad9050849NDA1.onmicrosoft.com"
}
}
],
"Attachments": [
{
"#odata.type": "#Microsoft.OutlookServices.FileAttachment",
"Name": "menu.txt",
"ContentBytes": "bWFjIGFuZCBjaGVlc2UgdG9kYXk="
}
]
},
"SaveToSentItems": "false"
}
This works fine if the user authorizes the application to act on it's behalf. However, I am using client crednetial to build a daemon application that acts on behalf of all users in the given tenant hence "POST https://outlook.office.com/api/v2.0/me/sendmail" couldn't work because its is referencing the "me" and can't tell which user is sending the email.
I would appericiate if you can help with sample example. FYI: I am using Java but your answer doesn't have to be in Java.
Replace the /me bit of the URL with /users/<userid>. You can not use /me for any API call with a token from client credentials.