Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
Related
I'm integrating some of our company's internal applications to use our GSuite instance for authenticating our employees when they log in, using GSuite's support for Open ID Connect.
However, our applications uniquely identify the users using our internal "employee ID" to log in, instead of our GSuite email address. I see that it is possible to store/manage an "employee ID" within gsuite, however I'm not sure how I can retrieve this information after the user has successfully authenticated.
Currently, I'm getting back a list of "claims" from the userinfo endpoint, but these claims only include the name and email address of the user. I also need the phone number and employee ID which we've configured on GSuite.
Is it a matter of requesting additional scopes to start off with? Or do I need to make a separate request to retrieve the additional user information?
I see that there is an Admin Directory API but it appears that would be for accessing the information of ALL users within the domain, whereas I'm only interested the extended details of the CURRENT user.
Ultimately, I created a service account with scope https://www.googleapis.com/auth/admin.directory.user.readonly to call GET https://www.googleapis.com/admin/directory/v1/users/<current_user>. I had to delegate domain-wide authority to the service account, as well set it up to impersonate an admin user.
It seems like overkill, since I only need extended details of the current user, for which I already have an OAuth2 access token.
I found this question quite helpful in resolving the issue.
If anyone can provide an answer that makes use of the OAuth2 access token, I'd still appreciate it
We want to use OneDrive API to upload and retrieve files from our own account.
The problem is that OAuth needs user interaction for login and then redirects back.
However we don't want to each user to log in and then gain access to his account. We want to just communicate with our own onedrive account without user to know about that.
(In other words, we're not creating an application that allow our users to edit their own data, but to interact with our data, like a database.)
Is there any way how to do this with OneDrive or we should use different approach?
Try adding admin (user used in OAuth) as ‘Site Collection Administrator’ to access all the file/folders of a User.
I've updated my app to use the new Box V2 API instead of the old Box V1 API.
I have only one question left : After revoking access to an app ( http://developers.box.com/wp-content/uploads/2013/08/Provision-Reject.png ), why is it required to grant access again after giving the password again?
Thanks for your answer in advance!
When a user decides to revoke access to an application, they've basically decided that they don't trust that application to get to their Box content. If they change their mind and want the application again, then the user should know what kinds on things your application can do.
The "grant access" screen is part of the OAuth2 specification, and is used by just about every website these days that lets applications get at user's accounts. Android apps have a similar "grant" screen to say stuff like "This application wants to get at your address book, send emails, and ... only use it if you trust the application to do these things."
I want to use Google APIs with OAuth 2.0 for authentication / authorization.
Is it currently possible to grant access to only people you have in a private circle?
Basically i want to secure a place on the web. To grant google+ users access, I just drag them into a specific circle.
Nothing built in, but you could build this. What you'd need to do was sign-in (with offline access) to your application as the 'admin', and just grant it access to that one circle. The app would have recheck the people.list every so often (using a stored refresh token), and record the latest list of users. Then, when a regular user came to sign-in, you would allow that sign-in the check against the list of stored friends before granting them access to the private area. You could even give the users who didn't have access a "let me in" button, which would share a post prefilled to share with you, so they could ask for access.
You can see how to retrieve the list of people here: https://developers.google.com/+/web/people/#retrieve_a_collection_of_people
If you didn't add friends very often, then you can make the people.list update happen when a user tried to access who wasn't part of the group, to check they hadn't been added.
In Facebook API:
"When a user allows you to access their basic information in an auth dialog, you have access to their user id, name, ...
To get access to any additional information about the user or their friends you need to ask for specific permissions from the user."
So basically Facebook allows for use of the API with restricted permissions by default, and then it specifically asks for all sorts of permissions you might use.
In Twitter when the user is redirected to the twitter popup on "account/verify_credentials" the popup shows:
"This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you."
It is basically giving me permissions that I don't need right off the bat and it might drive the user away from giving me such permissions (I wouldn't blame them)
Is there a way to get restricted permission (such as user info, and that's about it) thus show less items the user is allowing me to do in the popup ?
Sign into https://dev.twitter.com/apps, select the application, and switch access to read only on the settings tab. This will remove the Update your profile and Post Tweets for you permissions. The first two permissions are always present with Twitter OAuth.