I'm trying to get my head around oAuth2/IdentityServer4.
Using the sample application at
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Quickstarts/3_ImplicitFlowAuthentication
The following code in the MVC application:
#foreach (var claim in User.Claims)
{
<dt>#claim.Type</dt>
<dd>#claim.Value</dd>
}
Returns what appears to be identity token claims
nbf
1467173142
exp
1467173442
iss
http://localhost:5000
aud
mvc
nonce
636027699106782287.MDI0YzI5MTQtYmQxNy00MDllLWJmYzQtZjBhYzI2MGNjYmE3MDFmNzg1YmUtM2Y5ZC00YjBiLWEzOGItN2Q3ODRiODJlYjFl
iat
1467173142
c_hash
H2i5QeJKlHM5-s8vUTYlOw
sid
42b58d38e2b7c6cc653492742a08840b
sub
818727
auth_time
1467170555
idp
idsvr
name
Alice Smith
given_name
Alice
family_name
Smith
website
http://alice.com
amr
pwd
The following code in the API project
var claims = User.Claims.Select(c => new { c.Type, c.Value });
return new JsonResult(claims);
Returns what appears to be access token claims
{
"Type": "nbf",
"Value": "1467173142"
},
{
"Type": "exp",
"Value": "1467176742"
},
{
"Type": "iss",
"Value": "http://localhost:5000"
},
{
"Type": "aud",
"Value": "http://localhost:5000/resources"
},
{
"Type": "client_id",
"Value": "mvc"
},
{
"Type": "scope",
"Value": "openid"
},
{
"Type": "scope",
"Value": "profile"
},
{
"Type": "scope",
"Value": "api1"
},
{
"Type": "sub",
"Value": "818727"
},
{
"Type": "auth_time",
"Value": "1467170555"
},
{
"Type": "idp",
"Value": "idsvr"
}
Notice the code is essentially the same (return claims in the user identity principle) and lack of name/email but the inclusion of scope claims in the API example.
The token flow is essentially IdentityServer4 => MVC Project => API Project. Obviously the MVC project has both the identityToken and access token but it's not load the access token int User.Claims.
My goal is to have the scope claims available in User in the MVC project so that I can setup policies to work the Authorize attribute section off my MVC methods.
Startup for the API project is here: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs
Startup for the MVC project is here:
https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs
Thanks,
dave
The question is kind of invalid, but I'll leave it here with reasons why and a solution to save others time.
Firstly, there are two tokens for two different purposes.
The Access Token: Describes the client, which is the software that uses the API. Any claims in here are granting the client access to API endpoints.
The Identity Token: This describes the User, or the human that uses the software that uses the API.
The original question was asking how to view Client related scopes in an Identity token, which obviously isn't valid.
However, you can include Identity scopes in an Identity token.
To do this, set Type to ScopeType.Resource and set IncludeAllClaimsForUser to true, as follows
new Scope()
{
Name = "ManageUsers",
IncludeAllClaimsForUser = true,
Type = ScopeType.Resource
},
Related
I'm working on a Microsoft Teams tab and am planning to use some of the new RSC endpoints to retrieve members of the Team/group the app has been added to.
I have followed all steps from the RSC docs looked at the RSC sample code but still have an issue making Graph API calls to the beta rsc endpoints.
I have listed the RSC permission in the Teams manifest:
"webApplicationInfo": {
"id": "{AD_APP_CLIENT_ID}",
"resource": "https://notapplicable"
},
"showLoadingIndicator": true,
"authorization": {
"permissions": {
"orgWide": [],
"resourceSpecific": [
{
"name": "Member.Read.Group",
"type": "Application"
},
{
"name": "TeamSettings.Read.Group",
"type": "Application"
},
{
"name": "ChatSettings.Read.Chat",
"type": "Application"
},
{
"name": "ChatMember.Read.Chat",
"type": "Application"
},
{
"name": "ChannelSettings.Read.Group",
"type": "Application"
},
{
"name": "TeamMember.Read.Group",
"type": "Application"
}
]
}
}
Query Graph API like so:
GET https://graph.microsoft.com/beta/teams/{{group_id}}/channels/{{channel_id}}
Authorization: Bearer {{access_token}}
content-type: application/json
Where access_token is retrieved like so:
POST https://login.microsoftonline.com/{{ad_tenant_id}}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{ad_app_client_id}}&client_secret={{ad_app_client_secret}}&scope=https://graph.microsoft.com/.default
When I make the GET request to a group+channel which is in the same AAD as where the AAD Application is registered it works fine and information is returned. However, when I run the exact same code on a group+channel which is in a different AD it returns 403 Forbidden.
{
"error": {
"code": "Forbidden",
"message": "Missing role permissions on the request. API requires one of 'TeamMember.Read.All, TeamMember.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, TeamMember.Read.Group, Member.Read.Group'. Roles on the request 'Group.Selected'. Resource specific consent grants on the request ''.",
"innerError": {
"date": "2022-04-06T14:13:26",
"request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4",
"client-request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4"
}
}
}
The response mentions "Resource specific consent grants on the request ''." which seems to suggest it's either missing a header or another access token.
As mentioned before, this exact same code works perfectly fine when I use a group_id and channel_id from within the same AD tenant.
What other steps need to be done to get RSC calls working?
I have a use case where I need to show following information in my personal application.
List of channels in teams where bot is installed.
List of users in teams where bot is installed.
I was exploring connector client for the same and came up with following code:-
const credentials = new MicrosoftAppCredentials(appId, appPassword);
const connectorClient = new ConnectorClient(credentials, {
baseUri: serviceUrl
});
const token = await credentials.getToken();
axios.defaults.headers.common.Authorization = `Bearer ${ token }`;
# To get channels
const response = await axios.get(
'https://smba.trafficmanager.net/in/v3/teams/{teamId}/conversations'
);
# To get members
const users = await connectorClient.conversations.getConversationPagedMembers(teamId);
This works perfect as long as I have the teamId.
But the issue I am facing here is with respect to finding teamId in personal scope. I install my bot application as follows by choosing the Add option.
As far as I understand, the above installs the bot in the personal scope of the user. Now, in this scenario the team id information is not present in conversationUpdate event at all. Please note that this is the first time I am installing the bot in the team, so the data should be available as per Microsoft documentation, but the only information available in channel object is tenant.
{
"membersAdded": [
{
"id": "28:f5d48856-5b42-41a0-8c3a-c5f944b679b0"
}
],
"type": "conversationUpdate",
"timestamp": "2017-02-23T19:38:35.312Z",
"localTimestamp": "2017-02-23T12:38:35.312-07:00",
"id": "f:5f85c2ad",
"channelId": "msteams",
"serviceUrl": "https://smba.trafficmanager.net/amer-client-ss.msg/",
"from": {
"id": "29:1I9Is_Sx0OIy2rQ7Xz1lcaPKlO9eqmBRTBuW6XzkFtcjqxTjPaCMij8BVMdBcL9L_RwWNJyAHFQb0TRzXgyQvA"
},
"conversation": {
"isGroup": true,
"conversationType": "channel",
"id": "19:efa9296d959346209fea44151c742e73#thread.skype"
},
"recipient": {
"id": "28:f5d48856-5b42-41a0-8c3a-c5f944b679b0",
"name": "SongsuggesterBot"
},
"channelData": {
// for me this object is empty
"team": {
"id": "19:efa9296d959346209fea44151c742e73#thread.skype"
},
"eventType": "teamMemberAdded",
"tenant": {
"id": "72f988bf-86f1-41af-91ab-2d7cd011db47"
}
}
}
Next, I also tried to install the bot in the team scope by using Add To Teams option. In this case it prompts me to select a channel to install, in which I choose general.
Now, I do get the team object inside channelData in onConversationUpdate and this flow works perfectly fine.
{
"membersAdded": [
{
"id": "28:64564f44-dd7c-441a-b427-efcd662f21b5"
}
],
"type": "conversationUpdate",
"timestamp": "2021-10-14T13:22:01.6072361Z",
"id": "f:4ebc9a41-5140-7621-33f5-31d97275ce00",
"channelId": "msteams",
"serviceUrl": "https://smba.trafficmanager.net/in/",
"from": {
"id": "29:17ZGff4Pvqz_zSNqEexg-86uBFcB6vnOBZzCwu4_puGdDsrYWCW_DdlB15PrcjC--nLlqD5CwtLMJyzXPY5OSsg",
"aadObjectId": "eac26e98-104a-4785-87aa-bcf77ea1d7c1"
},
"conversation": {
"isGroup": true,
"conversationType": "channel",
"tenantId": "c8fef0de-e240-4456-b523-3285ecc62087",
"id": "19:y7qDBfGH2jE_Ze6G8mJS_CiWiqCaRFfH77jFZvJ1xgU1#thread.tacv2"
},
"recipient": {
"id": "28:64564f44-dd7c-441a-b427-efcd662f21b5",
"name": "Trick"
},
"channelData": {
"team": {
"aadGroupId": "5bc77aa9-9487-49ae-958f-b37b2191e64d",
"name": "test 5",
"id": "19:y7qDBfGH2jE_Ze6G8mJS_CiWiqCaRFfH77jFZvJ1xgU1#thread.tacv2"
},
"eventType": "teamMemberAdded",
"tenant": {
"id": "c8fef0de-e240-4456-b523-3285ecc62087"
}
}
}
So what I am trying to understand here is that, why is the information not coming in case the bot is installed in personal scope?
I am asking this mainly because without personal scope added for bot(i.e if I keep scope only as team), the application does not show for user, inside Apps. But if I allow the scope to be extended to personal the user might select that while installing the application and my teamId information will not be available to fetch the data, that I need.
This brings to my next question, which is, is there any way in which the default add button on the add app screen installs the bot in such a way that I get team object inside channelData, in conversationUpdate in every scenario, i.e whether I choose add or add to team?
Is this how it is supposed to behave or am I missing something. Would love to hear some thoughts on this. Thanks in advance.
It might be that you're over thinking this - here's a more simple view:
if you install a bot into a Team, you'll get a Team Id (and any related channel where it is installed).
if you have "personal" scope set up for the bot, then the user also has the option to install the bot into "personal" scope. As this implies, they are NOT installing the bot INTO an actual Team - that's why you're not receiving a Team Id. It's not broken - it's entirely correct.
If you don't WANT your bot to be able to be installed in personal scope, simply remove that option in your manifest (the "personal" scope) - you have the ability to choose because it depends what you're wanting the user to be able to do with your bot. Some bots only make sense inside a Team, others only in Personal Scope, others only in Group Chat or in a Meeting - you can allow your bot to installed in any/all of these are relevant.
When using a legacy token in slack I want to determine which user account owns this application. The information is not directly in the bot.info:
{
"ok": true,
"bot": {
"id": "foobar",
"deleted": false,
"name": "Slack API Tester",
"updated": 123456789,
"app_id": "A123"
}
}
Could I use the bot.id or bot.app_id objects to find who owns this application? If so which api call would I use.
To determine which user owns any token (incl. legacy token) just call the auth.test endpoint with that token. You will get the user ID and name of the token owner.
Example response from documentation:
{
"ok": true,
"url": "https://subarachnoid.slack.com/",
"team": "Subarachnoid Workspace",
"user": "grace",
"team_id": "T12345678",
"user_id": "W12345678"
}
If you need more info about the user you can call users.info for that user with his ID. Since you are using a legacy token you will have the necessary permissions.
I have a web app registered on Azure with the goal of being able to read and write the calendars of other users. To do so, I set these permissions for this app on Azure.
However, when I try to, for example, create a new event for a given user, I get an error message. Here's what I'm using:
Endpoint
https://graph.microsoft.com/v1.0/users/${requester}/calendar/events
HTTP Header
Content-Type application/json
Request Body
{
"subject": "${subject}",
"body": {
"contentType": "HTML",
"content": "${remarks}"
},
"start": {
"dateTime": "${startTime}",
"timeZone": "${timezone}"
},
"end": {
"dateTime": "${endTime}",
"timeZone": "${timezone}"
},
"location": {
"displayName": "${spaceName}",
"locationEmailAddress": "${spaceEmail}"
},
"attendees": [
{
"emailAddress": {
"address": "${spaceEmail}",
"name": "${spaceName}"
},
"type": "resource"
}
]
}
Error message
{
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store.",
"innerError": {
"request-id": "XXXXXXXXXXXXXXXX",
"date": "2018-07-11T09:16:19"
}
}
}
Is there something I'm missing? Thanks in advance for any help!
Solution update
I managed to solve the problem by following the steps described in this link:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
From your screenshot it's visible that you used application permission (although it'd be nice to include this information in your question):
Depending on kind of the permission you have given, you need to use proper flow to obtain access token (on behalf of a user or as a service. For application permissions you have to use flow for service, not on behalf of a user.
You can also check your token using jwt.io and make sure it's payload contains appropriate role. If it doesn't, it's very likely you used incorrect flow.
Regarding the expiration time of it, you may have found the information about refresh token (for example here). Keep in mind that it applies only to rights granted on behalf of a user. For access without a user you should make sure that you know when your token is going to expire and request a new one accordingly.
I've found the following documentation on how to send email using Office 365 rest API.
This is the example given on the doucmentation:
POST https://outlook.office.com/api/v2.0/me/sendmail
{
"Message": {
"Subject": "Meet for lunch?",
"Body": {
"ContentType": "Text",
"Content": "The new cafeteria is open."
},
"ToRecipients": [
{
"EmailAddress": {
"Address": "garthf#a830edad9050849NDA1.onmicrosoft.com"
}
}
],
"Attachments": [
{
"#odata.type": "#Microsoft.OutlookServices.FileAttachment",
"Name": "menu.txt",
"ContentBytes": "bWFjIGFuZCBjaGVlc2UgdG9kYXk="
}
]
},
"SaveToSentItems": "false"
}
This works fine if the user authorizes the application to act on it's behalf. However, I am using client crednetial to build a daemon application that acts on behalf of all users in the given tenant hence "POST https://outlook.office.com/api/v2.0/me/sendmail" couldn't work because its is referencing the "me" and can't tell which user is sending the email.
I would appericiate if you can help with sample example. FYI: I am using Java but your answer doesn't have to be in Java.
Replace the /me bit of the URL with /users/<userid>. You can not use /me for any API call with a token from client credentials.