I am completely new to MS Identity services and I am overwhelmed by the many options I have for what I need to do
Here is what I am trying to achieve: I have a OneNote personal account and notes stored in the MS Cloud (OneDrive I guess). I need to be able to run a Python script, get the content of my notes, do some processing and save them back. This will be from the command line on a home Windows10 computer
My question: what type of application should I register in MS AD and what type of authentication flow should I used for the above?
I have tried many things and this is as far as I could get:
-I registered an app with Azure AD (tried both personal and AD app)
-I configured the app as Windows App
-I selected a device authentication flow
I tried this code with both types of app
import requests
import json
from msal import PublicClientApplication
tenant = "5fae6798-ca1a-49d4-a5fb-xxxxxxx" ◄ regular app
client_id = "d03a79d3-1de0-494c-8eb0-xxx" ◄ personal app
#client_id="bbd3d6df-f5f3-4206-8bd5-xxxxxx"
scopes=["Notes.ReadWrite.All","Notes.Read.All","Notes.Read","Notes.Create","Notes.ReadWrite",
"Notes.ReadWrite.CreatedByApp","Notes.Read","Notes.Create","Notes.ReadWrite",
"Notes.ReadWrite.CreatedByApp","Notes.Read.All","Notes.ReadWrite.All"]
endpoint= "https://graph.microsoft.com/v1.0/me"
authority = "https://login.microsoftonline.com/" + tenant
app=PublicClientApplication(client_id=client_id, authority=authority)
flow = app.initiate_device_flow(scopes=scopes)
if "user_code" not in flow:
raise ValueError(
"Fail to create device flow. Err: %s" % json.dumps(flow, indent=4))
print(flow["message"])
result = app.acquire_token_by_device_flow(flow)
endpoint= "https://graph.microsoft.com/v1.0/users/c5af8759-4785-4abf-9434-xxxx/onenote/notebooks"
if "access_token" in result:
# Calling graph using the access token
graph_data = requests.get( # Use token to call downstream service
endpoint,
headers={'Authorization': 'Bearer ' + result['access_token']},).json()
print("Graph API call result: %s" % json.dumps(graph_data, indent=2))
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You may need this when reporting a bug
Regular application
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AH2UHFDXB to authenticate.
Graph API call result: {
"error": {
"code": "30108",
"message": "OneDrive for Business for this user account cannot be retrieved.",
"innerError": {
"request-id": "016910d2-c193-4e3f-9d51-52fce86bfc72",
"date": "2020-05-14T16:45:44"
}
}
}
Personal application output
Fail to create device flow. Err: {
"error": "invalid_request",
"error_description": "AADSTS9002331: Application 'bbd3d6df-f5f3-4206-8bd5-xxxxxxx'(OneNotePersonal) is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.\r\nTrace ID: 1c4047e6-98a8-4615-9a0c-4b0dc9ba5600\r\nCorrelation ID: a6733520-6df9-422a-a6b4-e8f4e2de1265\r\nTimestamp: 2020-05-14 16:56:27Z",
"error_codes": [
9002331
],
"timestamp": "2020-05-14 16:56:27Z",
"trace_id": "1c4047e6-98a8-4615-9a0c-4b0dc9ba5600",
"correlation_id": "a6733520-6df9-422a-a6b4-e8f4e2de1265",
"interval": 5,
"expires_in": 1800,
"expires_at": 1589477187.9909642,
"_correlation_id": "a6733520-6df9-422a-a6b4-e8f4e2de1265"
}
This was solved this way
That error message suggests you to create your authority string as
authority = "https://login.microsoftonline.com/consumers",
because you were using the client_id of a "personal app". Change that authority, and you can proceed.
Related
I used the following API in postman with integration key, client secret from the Admin API application but no luck.
GET: https://api-123abc.duosecurity.com/auth/v2/check
Furthermore,
I used basic auth for authorization
Integration key for username and created the password via
https://www.freeformatter.com/hmac-generator.html#ad-output (used
integration key for string and client secret from the duo UI)
I used the following headers:
Authorization:Basic
Integration-key:Secret-key
Date:Fri, 20 May 2022 02:26:39 +0000
Content-Type:application/x-www-form-urlencoded
Besides this I used the code
btoa('integration key:secret key')
to generate authentication code but it still gives the following error
{
"code": 40301,
"message": "Access forbidden",
"message_detail": "Wrong integration type for this API.",
"stat": "FAIL"
}
Add Postman PreRequest script
update/replace integration and secret keys in below script
follow docs
const cannon = [
new Date().toUTCString(),
pm.request.method,
pm.request.url.host.join('.'),
'/'+pm.request.url.path.join('/'),
];
if (pm.request.body.urlencoded){
cannon.push(pm.request.body.urlencoded);
}
function hmacSign(cannon, integrationKey, secretKey){
const message = cannon.join("\n");
console.log(message);
var hmac = CryptoJS.HmacSHA1(message, secretKey)
return btoa(`${integrationKey}:${hmac}`)
}
const sign = hmacSign(cannon, "DIWJ8X6AEYOR5OMC6TQ1", "Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep")
pm.request.headers.add({
key: "authorization",
value: sign
});
I am building a web app in a low code platform (Mendix). I am connecting the web app with ArcGIS online resources via the ArcGIS JavaScript API v4.19, which all goes pretty smoothely.
The challenge arises when I want to load specific secured ArcGIS online content via the ArcGIS JavaScript API, specifically from some FeatureLayers which are secured. I looked into the documentation and it seems the best way forward would be a so-called 'application login'. For this I want to setup an OAuth application login based on CLient ID and Client Secret. With these two I can get a valid token via AOuth and use that token to access the content by feeding the token to the IdentityManager via the JavaScript API.
This is were it goes wrong currently, I can't seem to figure out where to make it explicit on the ArcGIS online side that this specific secured FeatureLayer can be accessed via this application login, hence currently I am getting errors that the valid token and app id don't have access to the resource, being the end-point of the secured FeatureLayer.
Does anybody know how to associate a secured FeatureLayer in ArcGIS online to a application login?
EDIT 10-6-2021: Added code sample
After succesfully retrieving a valid token on the server side based on client id and client secret I use the client ID (=AppID) and token in the ArcGIS JavaScript API like below:
const token = {
server: "http://www.arcgis.com",
userId: <AppID>,
token:
<valid token retrieved via OAuth generateToken request,
ssl: true,
expires: 7200
};
IdentityManager.registerToken(token);
Only implementing this gives me an error whilst trying to access the secured feature layer:
identity-manager:not-authorized. "You are currently signed in as:
AppID. You do not have access to this resource:
https://server/someid/arcgis/rest/services/somefeatureserver/FeatureServer/0
I also read that sometimes below could be needed so added as well:
const idString = JSON.stringify(IdentityManager.toJSON());
console.debug("idString: " + idString);
IdentityManager.initialize(idString);
This resolves the error but makes a login popup appear again.
The layer is afterwards declared like below:
const layer = new FeatureLayer({
// URL to the service
url: layerObj.layerURLStatic
definitionExpression: queryDefinition,
featureReduction: clusterConfig && { type: "cluster" },
popupTemplate: {
title: "{" + inAttributeTitle + "}",
content: [
{
type: "fields", // FieldsContentElement
fieldInfos
}
],
actions: [
{
title: props.intButtonLabel,
id: btnId,
className: props.intButtonClass + intButtonIconClass,
type: "button"
}
]
},
outFields: ["*"]
});
webMap.add(layer);
Here is a snippet to generate the token and then register it with IdentityManager:
IdentityManager = require('esri/identity/IdentityManager')
function login(user, password){
var serverInfo = {
"server": "https://www.arcgis.com",
"tokenServiceUrl" : "https://www.arcgis.com/sharing/generateToken"
};
var userInfo = {
username : user,
password : password
}
IdentityManager.generateToken(serverInfo, userInfo).then(function (response){
response.server = serverInfo.server;
response.userId = user;
IdentityManager.registerToken(response);
});
}
I'm not sure how you are going to fit this in you app, but the sample should work if you paste it in your developer tools console when the app is running.
Also, it seems to me that userId property is for arcgis online username, not for appId.
As pointed out by Shaked, if you append '?token=[token_value]' int the layer URL you probably don't even need to register the token to query the layer.
I'm trying to call api Purchases.products: get to verify your purchase
it yields such a result
{
"error": {
"errors": [
{
"domain": "androidpublisher",
"reason": "permissionDenied",
"message": "The current user has insufficient permissions to perform the requested operation."
}
],
"code": 401,
"message": "The current user has insufficient permissions to perform the requested operation."
}
}
the project is tied properly
A new service account with owner rights has been created
This service account has been granted rights in the google play console
Documentation here says what you can do
the received token does not work only for purchase checks for any other api it returns the result(Inappproducts: list is work)
The verification url is built right because if you get a token client to server then this api works too - but I need a server to server auth
scopes = ['https://www.googleapis.com/auth/androidpublisher']
authorization = Google::Auth.get_application_default(scopes)
uri = "https://www.googleapis.com/androidpublisher/v3/applications/#{ENV['ANDROID_PACKAGE_NAME']}/purchases/products/#{purchasable.purchase_uuid}/tokens/#{purchase_token}?access_token=#{authorization.fetch_access_token!['access_token']}"
response = RestClient::Request.execute method: :get,
url: uri,
headers: {'Content-Type':'application/json'}
and
file = File.read('config/google_key.json')
values = JSON.parse(file)
oauth = Signet::OAuth2::Client.new(
issuer: values[:client_email]",
audience: "https://www.googleapis.com/oauth2/v4/token",
scope: "https://www.googleapis.com/auth/androidpublisher",
client_id: values[:client_id],
signing_key: OpenSSL::PKey::RSA.new(values[:private_key]),
)
jwt = oauth.to_jwt
url = "https://www.googleapis.com/oauth2/v4/token"
begin
response = RestClient::Request.execute method: :post,
url: url,
headers: {'Content-Type': 'application/json'},
payload: {
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
assertion: jwt
}
result = JSON.parse response.body
rescue => e
puts e.response.to_str
result = JSON.parse(e.response.to_s)
end
I expect this result
update 1
add tokeninfo
I love google.
after 7 days with my first service account it worked - but 7 days !!!! 7 days !!!! it's just horror
Guys in Google you need 7 days to give access to api!! - this is ridiculous
Okay, you need to do this to get access
create service account in google cloud (admin rights)
create google play console and link project google cloud
add email service account in google play console
after 1 week it will work
In my app (node-bigcommerce-sdk) my customers will need to login as if they were on the bc store. I am able to verify that the provided email and password are correct. I cant find a method to exchange the user_id and my app credentials for a token that can be used in sso (described here)
I used the python sdk before and the part I want to do now in nodejs is the following
bc_client = b.api.BigcommerceApi(client_id, store_hash, access_token)
login_token = sdk.customer_login_token.create(bc_client, customer.id)
so far (not working)
let token = jwt.encode({
"iss": account.clientId,
"iat": 123456789,
"jti": "uid-"+uid,
"operation": "customer_login",
"store_hash": account.storeHash,
"customer_id": uid,
}, account.secret, 'HS512');
let sso_url = `${account.entry_url}/login/token/${token}`
example token received
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJja244ZzN5Z3V4MmY0cG14ZWw0M2dqbmJjOTViZ2FrIiwiaWF0IjoxMjM0NTY3ODksImp0aSI6InVpZC0xIiwib3BlcmF0aW9uIjoiY3VzdG9tZXJfbG9naW4iLCJzdG9yZV9oYXNoIjoiMmJpaHByMnd2eiIsImN1c3RvbWVyX2lkIjoiMSJ9.n4lygAJtfqhcrHnGEWle1far-Ee69xrgym-HWFWWwNWXB1-hBziKC03SK_y8PYjLBL_n43Q6K07YH9ysSV5a4g
${account.entry_url}/login/token/${token} results in an error message on the frontend Invalid login. Please attempt to log in again.
Here is a strange thing I am fighting against.
First of all I am using this simple-linkedinphp lib to perform API calls from my php backend.
I got a user access token from our IOS app which has the following structure:
{"access_token":"lettersAndSymbols","expires_in":5183999}
I store it in a variable called $token.
Then I try to get the user's profile with this token like this:
$linkedin = new \LinkedIn($this->linkedin_config);
$linkedin->setResponseFormat($linkedin::_RESPONSE_JSON);
$linkedin->setTokenAccess(array('oauth_token' => $token["access_token"], 'oauth_token_secret' => ""));
$linkedinUserJson = $linkedin->profile("~");
Then I get the response with error:
array(5) {
["linkedin"]=>
string(358) "{
"errorCode": 0,
"message": "[unauthorized]. The token used in the OAuth request is not valid. sameLettersAndSymbols",
"requestId": "74T6SY6ML6",
"status": 401,
"timestamp": 1376043937705
}
But when I try to open an api url in a browser with the same LettersAndSymbols like https://api.linkedin.com/v1/people/~?oauth2_access_token=LettersAndSymbols, I get the correct response with user object.
How can that be? Am I doing something wrong with the API lib?
I can see a problem in this line
$linkedin->setTokenAccess(array('oauth_token' => $token["access_token"], 'oauth_token_secret' => ""));
your must provide a secret to set the token access.
I found a nice example about Linkedin Integration, wich I like to share with you, I tested and it works just fine.
How to Integrate login with LinkedIn oAuth in PHP