I'm playing with the interactive web sdk at https://ucwa.skype.com/websdk. I'm signed in successfully with a Azure AD login. With the F12 Tool I can see, that I have got a valid oauth token.
Now I take this token and trying to get a person object via a GET request like this: _https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me
This is the result:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/111364079681/me"
}
},
"rel": "me"
}
What I expect are more information about me like this:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"emailAddresses": [
"xxx"
],
"company": "my company name",
"workPhoneNumber": "tel:+123456789",
"endpointUri": "sip:xxx;opaque=user:epid:4JNzkgeuabct-CSuIgYV8gAA;gruu",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/113782897528/me"
},
"note": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/note"
},
"presence": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/presence"
},
"location": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/location"
},
"reportMyActivity": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/reportMyActivity"
},
"photo": {
"href": "/ucwa/oauth/v1/applications/113782897528/photos/xxxx"
}
},
"rel": "me"
}
I found out that the result depends on the application id. If I open the Office365 web portal (_https://outlook.office.com/owa) and search for an valid application id with the F12 tool, then I get the expected result. Even with the OAuth token that I got from the interactive web sdk example. So this can not be an security or permission issue??
I grant access to all permissions in the azure management portal.
Also very strange is that I get different status codes with the same oauth token for this two very similar request
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me/presence
-> 200 OK
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/112861033140/me/presence
-> 403 Forbidden
{
"code": "Forbidden",
"message": "The requested operation isn't allowed."
}
So why is there a difference between both applications and what is required to get the same results? Is anything missing in the azure configuration?
Thanks for help
UCWA and to a larger extent Skype for Business Online are in a preview phase which may help explain why you are seeing a different result set between the two applications. When logging into the O365 portal as your user you are most likely getting supplemental information from Exchange or the portal is able to receive more information from UCWA using internal APIs (and permissions) not publicly exposed.
If I remember correctly and your request example above is a follows:
/ucwa/oauth/v1/applications/113782897528/me/presence - O365 Portal
/ucwa/oauth/v1/applications/112861033140/me/presence - Non-Portal
What you are seeing is that Presence is not currently enabled (a better term might be the API is not publicly exposed) for UCWA when using Online clients.
Access to presence is available in preview mode through the "Read/write Skype user information (preview)" Delegated Permission. You might not have access to it, but here's a picture of what it looks like in Azure AD if you do:
I created a UCWA-based native app that connects to SfB Online and allows you to set your presence:
https://github.com/tamhinsf/ucwa-sfbo-console
Just follow the README to register your own app and plug in your settings into my code. I output the result of each API call onto the console so you can see what's going on.
I've also made fork of the Interactive Web SDK Samples you've been using that consolidates the Azure AD settings into a single file. You might want a local copy to more closely inspect and modify the calls:
https://github.com/tamhinsf/skype-web-sdk-samples
Sharing the token like that between applications seems like a security violation. The token is provided for a specific resource and the server likely validates that the token you are providing matches the scopes that the application was created with.
What scenario are you trying to perform by sharing the token?
Related
I've previously developed simple GAS projects that read csv files and inserted them into a BigQuery table and I don't recall using any special authentication since both projects were under my account. However, I'm now getting an error when trying to insert.
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.bigquery.v2.JobService.GetJob",
"service": "bigquery.googleapis.com"
}
}
]
}
}
One difference is that I am now using a personal google account, whereas before I was using a work account, though I haven't seen anything that mentions this distinction for calling BigQuery from GAS.
I've found some blogs that seem to address how to implement an oauth2 auth, but I'm wondering if something has changed in the past ~8months that now necessitates a more explicit auth for BigQuery calls? This doco doesn't mention anything about authenticating - https://developers.google.com/apps-script/advanced/bigquery.
edit:
This was for a csv load/insert job. I remembered that I was previously doing array inserts, and the auth for that job has not changed so I am able to successfully execute those jobs. No idea why the auth is different for a csv-blob job, but hopefully this will save others some time.
The BigQuery API uses OAuth 2.0 access tokens to authorize requests and grant temporary access to the API. In this case, I recommend using a service account to authenticate the API. You can follow these steps to create an account.
If you are using BigQuery client Libraries, you can set up the authentication. If not, you need to follow these steps.
Also, you must have permission to load data into bigquery. You need the following IA permission.
bigquery.tables.create
bigquery.tables.updateData
bigquery.tables.update
bigquery.jobs.create
If you are in cloud storage, you need the following permissions.
storage.objects.get
storage.objects.list (required if you are using a URI wildcard)
I've been at this for days and the documentation just isn't clear to me, maybe I'm just not reading it correctly.
I have a blazor WASM app (https://localhost:5001) that pulls data from an api. The api needs to be authenticated so I want to just pass the access token inside the header.
Inside the OneLogin admin dashboard I've created an OIDC app called "testApp", the Token Endpoint is None (PKCE).
Setting up oidcauthentication on blazor was super simple. I originall just used the
builder.Services.AddOidcAuthentication(options =>
{
builder.Configuration.Bind("OneLogin", options.ProviderOptions);
})
However I quickly realized I had no way to add an audience. So I followed this guide ..
auth0 oidc for blazor
and this github for the actual code I modified to create a custom provideroptions that has an audience string
github repo
And I also had no issues setting it up. However, where I get stuck is how seemingly complicated OneLogin's side of the setup is.
Reading their docs onelogin api auth docs, there are no modern examples of setting it up past the postman import. Downloading the import file offers a fairly organized set of apis however I can't figure out what needs to go where.
First I created an Api Auth Server
{
"description": "API",
"configuration": {
"access_token_expiration_minutes": 20,
"refresh_token_expiration_minutes": 20,
"resource_identifier": "https://localhost:5005",
"audiences": [
"https://localhost:5005/worker",
"https://localhost:5005/user"
]
},
"name": "API"
}
then I created a scope
{ "value": "custom:scope",
"description": "A custom scope" }
then I added api auth server client. I went to the admin panel and grabbed the app id from the url. https://{domain}.onelogin.com/apps/{appId}/edit/#configuration
and added an api auth server
which gave me this back from the postman api
[
{
"name": "TestApp",
"app_id": 1111111,
"scopes": [
{
"id": 172,
"description": "A custom scope",
"value": "custom:scope"
}
],
"api_auth_id": 1246001
}]
So from this point it looks like I have everything I need? Except I still can't get it to create an access token. I go back to my application and use the modified service and add my audience to my appsettings.json
"OneLogin": {
"Authority": "https://{domain}.onelogin.com/oidc/2/",
"ClientId": "{clientId from onelogin}",
"ResponseType": "code",
"DefaultScopes": "openid profile groups",
"Audience": "https://localhost:5005"
Except it still doesn't add the extra audience to the access token causing my api calls to fail when I add the access token inside the header. If anyone can figure out where I've gone wrong I'd be incredibly grateful.
woot. Figured it out myself. I had everything right but I had the audience wrong. In their docs they discuss having multiple audiences like example.com/blah and example.com/bleh but having the audience as just example.com and then having different scopes PER web service actually is working fine.
So when I create example2.com and add it to the audience both my api's will be able to be accessed.
I managed to get Auth0 somewhat working for my Vue.js app. The Quickstart Guide was straight forward.
So what happened is that I managed to use the login functionality and was prompted with the Auth0 Login dialog. I used my google account to do a quick-login. That also worked. My google account was now visible as a new user in my Auth0 Dashboard.
However after the login I was returned to my Vue.js app but the authorization was not successful it seems.
The network tab tells me the following:
{"error":"access_denied","error_description":"Unauthorized"}
I was wondering if I have to give the user some roles or permissions before he is considered as 'authorized'? My impression was that this will be true by default and only restricted if I start defining roles in the Auth0 Dashboard.
Please enlighten me!
PS: I am using the non-implict login dialog provided by Auth0 while I am working on a SPA. I read that might cause troubles?
PS 2:
And the Raw Data of the 'Failed Exchange' Log:
{
"date": "2020-08-24T10:43:52.005Z",
"type": "feacft",
"description": "Unauthorized",
"connection_id": "",
"client_id": "<Client_ID>",
"client_name": null,
"ip": "85.197.56.111",
"user_agent": "Chrome 83.0.4103 / Linux 0.0.0",
"details": {
"code": "*************T8a"
},
"hostname": "alemanni-game.eu.auth0.com",
"user_id": "",
"user_name": "",
"log_id": "90020200824104353383000015217913666506642073534760747026",
"_id": "90020200824104353383000015217913666506642073534760747026",
"isMobile": false
}
I had this issue and was finally able to find out the cause of this issue. I came across this question while I was searching for the solution to this problem but it hadn't been answered. As I was able to solve the problem, so I decided to answer this question.
In my case, the problem was that the token endpoint was returning the status code of 401 with unauthorized/access denied error and this seems to be the problem in your case too.
Problem was because of the incorrect value of "Token Endpoint Authentication Method" in the application settings.
In the case of single page applications, its value should be "None" but it was incorrectly set to "POST".
It seems that we cannot change its value, so I just created a new application and selected "Single Page Web Applications" as the application type. This solved the issue.
we have rest point to get the resource information from keycloak server.
http://{host}:{port}/auth/realms/{realm}/authz/protection/resource_set/{resource_id}
from this endpoint I can get only one resource information.
-{
"name": "/TestResource",
"type": "customer",
"ownerManagedAccess": false,
"displayName": "testresource",
"_id": "****resource id****",
"icon_uri": "testIconUri",
"uris": [
"/uri2",
"/uri1"
],
"resource_scopes": [
{
"name": "GET"
}
]
}
But, In my case i have more than 25 resources to be loaded in my menu of application.
If i go with above endpoint, i need to call the same service for more than 25 times . so i need some other way to get set of resources information using single endpoint.
I expect a solution for this,
thankyou in advance.
I found the solution.
we can get all the authorization related details using
http://{host}:{port}/auth/admin/realms/{realmname}/clients/{clientId}/authz/resource-server/settings
provided by keycloak.
we have to use admin credentials
{clientId} is not the Client Name given by you. it is generated by keycloak for each client
I've set up a Google Compute Engine Instance and I want to be able to turn it on and off using a script on my home computer. I see that there's an API that lets me do that by sending a POST request like this:
curl --data '' https://www.googleapis.com/compute/v1/projects/my-project/zones/asia-east1-a/instances/my-instance/stop
but the response I get from that is this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
So I'm trying to see how I can allow my script authorisation to use the API on the compute engine without having user interaction. How do I do this?
It looks like Google requires OAuth 2.0 authentication, but it seems really complex.
The closest thing I can find in Google's docs is this page but I can't work out how to make it a bunch of curl statements.
This SO thread gets closer, but glancing over the scripts there - it looks like they need user interaction.
I think you need Application Default Credentials. Have you seen this page?
https://developers.google.com/identity/protocols/application-default-credentials