I am currently using EWS in my application to access Exchange data. I want to add functionality for Office365 using rest api.
With EWS, Authorization was quite simple, just add Authorization tag in header with username and password base64 encoded, I bealive it is called basic Authorization.
But with office 365 the process gets 2 extra steps
On the image above you see that 2 steps are in between my application and office365.
Every office account that will use my application, must do
some configuration steps at Microsoft azure. to get secret key, client it and tenant id.
I would like to avoid that, ideally user needs only to enter his credentials thus I can access all of his data in office 365 programmatically.
Every office account that will use my application, must do some configuration steps at Microsoft azure. to get secret key, client it and tenant id.
If I understand your question correctly, you want to avoid all the steps to configure the client_id, secret key for your app user?
If your app is a browser-based web app, the "Application" block on your diagram actually consists of web server and user/browser. In this case, only the web server needs to pull the configurations from the Azure, client_id, secrect, etc... This being said, the user/web browser only needs to enter his credential, and with implicit consent, you app will have access the the user's data. Such workflow can be described below,
In this case, you app user/browser does not need to pull the configurations from Azure. Only the web server does.
If your app is a native app, when you make a request to the auth endpoint, you app needs to include the client_id and redirect URI in the request. This is shown on the first step below.
In this case, your app user can use the same client_id and redirect URI, you don't need to "force" them to create their own's, so that they only need to input their username and password.
You can find more info on Azure AD authentication from https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/
Related
I have a SaaS application using Vue.JS as frontend and Django Rest Framework as backend. I use JWT tokens for authorizing between frontend and backend.
Now I want to add support for our customers to be able to sign in with their Microsoft accounts. So if the signed in user matches a user in our database, it is logged in to our application.
I've set up Azure B2C and can successfully log in and acquire a token in the Vue.JS application using msal library.
Then I send the token to backend server for verification. I use azure_ad_verify_token to verify the token, but I get an InvalidAuthorizationToken exception.
It seems to be working when the user is added to my organization's AD directory. But I would like to verify the token for any Microsoft user, then match it to users in our database. It would be too much work to manually add our customer's users to our AD directory. If it would be possible to add another organization/domain I guess that would be ok.
There's a lot of documentation regarding this but I always end up in examples for separate applications. Just to clearify flow I try to achieve.
The user clicks on login with microsoft
The user is redirected to Microsofts login page, approves my application for their organization
On requests sent to our backend, the token should be verified against Azure Active Directory using authorization class.
If the user's email exists in our database, the request is successful
I am working on building an app for a client inside the Dittofi Design Studio. I am on the basic package, so I cannot see by computer code.
I have built a collection of CRUD endpoints & actions & generated the code. Next & I want to make sure that some of my endpoints are only accessible by someone who correctly authenticates against them. Is there a setting for this inside the studio? How would this work for mobile apps authenticating against the endpoints?
Yes you can inside the studio.
If you look at the wrench in the bottom left, you should be able to create an "Authentication Profiles". You'd have to have users model/db table with username and password fields.
You would then have to have some sort of /sign-up, /login, and /logout endpoints (which would call the login web user and logout web user actions) for your authentication flow.
Finally, on the endpoint you want to lock down, if you look under its settings panel below the name, label and content type settings, you should be able to see how you can attach an authentication profile to the endpoint, i.e lock it down by making sure that only authenticated users can access the endpoint.
For mobile apps authentication agains the endpoints, I would generate a JSON web token (JWT) on the Dittofi end and have a secret key that's shared between the mobile apps and Dittofi to validate the token. That way the mobile app can send any requests to the Dittofi endpoints with that token. On the Dittofi end, I would have some token validation logic to validate that token.
This would require writing some custom Golang code to both generate the JWT and validate it using that secret key. That secret key can be stored in a Global variable (which can be though of as environment variables) accessible using that wrench in the bottom left corner of the Design studio.
Let me know if you'd like me to share the Go code that can generate the token and some example code that can validate your token using a secret key.
Here's the scenario
3rd Party App, with a back end. Customer uses the app.
Back end needs to access user's exchange information, assumedly via EWS
Back end is running in our datacenter/cloud, not customers.
Cannot require local administrator involvement
Want to avoid storing username/password in our back end.
Want to support both Office365 and on-premise.
I believe this is currently impossible, but wanted to verify:
Impersonation would be a great way, but requires Administrator
Token based authentication is not used for this. It is for a mail app to use for SSO to the backend, not for the backend to access Exchange.
OAUTH would be ideal, but is a) for Office365 only currently b) requires a portion of the back end to be hosted by Azure c) The Azure install has to be linked to the Office365 install and is for the local administrator only.
Is my analysis correct? Any options I've missed?
You're mostly correct. OAuth is currently for Office 365 only, so that would rule out on-premise. However, with OAuth you do not have to host your back-end in Azure. You would need an Azure tenant to register your application, but the app itself is not required to be hosted in Azure. If you use EWS, then even with OAuth you will need some admin involvement, because EWS requires a permission scope that requires the app to be registered in the target tenant, users can't consent using a registration from another tenant.
If you use the REST APIs, which are in preview, you wouldn't need an admin's involvement, users could consent for themselves. That would get you almost where you want to be (assuming the REST APIs provide the data that you're after), but wouldn't support on-premise.
So to add to this mostly correct answer from Jason:
using pure rest, you need only create a "multitenant" application and users can self-consent.
You can also use an OAuth token to authenticate to EWS - but only if the delegate Full Access To Mailbox is selected. This also doesn't require admin consent but is a big scope (but necessary because EWS doesn't understand scopes)
I'm trying to write a C# console app that will register an application in Azure Active Directory. It should work just as the web application project creation wizard in VS 2013 when you Change Authentication and select Organizational Accounts in Azure.
Following the fiddler trace, I can see that it authenticates the user using wsfederation and an oauth2 token and then uses the graph.windows.net graph api to configuration the AAD directoryObjects service principal and application.
I have tried to use the sample Graph API app, but it requires the app be registered first so that I have the clientId (application id) and password (key) to send in the Acquire Token request using the Windows Azure AD Authentication Library for .NET.
I've tried using a bunch of the different Azure APIs but they all have my chicken and egg problem, I want to use an unregistered client application to register an application in AAD. I need to avoid Configuring Application Authentication and Authorization for the Graph API so that the user has no manual steps.
Does anyone know how Visual Studio does it, using just the user login with browser prompt or if there is a standard application id and password that can be used to access the graph API, like there is the standard login URL, https://login.windows.net/common? Some C# samples would be greatly appreciated.
This post does the Application creation, but requires a clientId and password, which I don't think I have.
You can't register a new application using the Graph API from an unregistered client. The only reason the VS2013 flow works is because VS2013 is already registered in a special way within Azure AD -- it's a first party application and has unique permissions. In my Fiddler trace, VS2013 uses a client ID of 872cd9fa-d31f-45e0-9eab-6e460a02d1f1. Technically you can use this client ID and the redirect URI of VS2013 to initiate sign-on with Azure AD. This still involves user interaction (the user has to authenticate via browser pop-up) so it doesn't meet your requirement for "no manual steps," but it's somewhat helpful for understanding the protocol flows and how registration works.
The bottom line is that if you want to call the Graph API without user interaction (client credential flow), the client needs to be registered with the proper application permissions.
I have an application with users/password (not developed by us) that calls a web service to inform us when a new user is created. This web service should enable us to create automatically a user through the google Directory API service to create an account on the Google Apps For Education.
How can I do that without using OAuth but using only login/password for the admin user of the Google Apps account ?
I know to update CSV file to create/update accounts in Google Apps but would need to create the accounts on Google without doing manual upload and batch.
Thanks for your answer.
The old ClientLogin authentication method for Google APIs is deprecated and is not supported by the Admin SDK Directory API.
You should use OAuth 2.0. Once you have the OAuth 2.0 refresh token for your script, you don't need to reauthenticate the user each time, just grab a new access token if the current one expires.
You may also be able to take advantage of existing applications that already perform the OAuth work for you like GAM.
I just did this exact same thing in a GAfE domain. I needed to create 60,000 accounts quickly, and have them placed in specific organizational units (schools). I'm now putting together a series on how to make sense out of Google Apps for Education using the API explorer and OAuth 2.0.
Basically, you'll need to forget passing user/pass credentials using the API. You'll need to create an OAuth 2.0 ID (web application), and enter a redirect URI (the callback page that will process the request after authorization has been granted). At this point, you'll need to compile a URL string with the following information:
Base URL for the authorization request
data scope
client ID
response type
redirect URI
See the example below:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/admin.directory.user&client_id=your_client_ID_copied_and_pasted_from_the_API_console&response_type=code&redirect_uri=https://www.example.com/callback.php
Once authorization has been granted, you'll be passed a code in the URL that you'll need to exchange for an ACCESS TOKEN using a POST request to https:// accounts.google.com/o/oauth2/token. The response will include the access token that you can then use in your POST request to the directory.users.insert API.