I want a sample application in c#.net which can create users in Office 365 using Microsoft API .
I wish to do it in code, not using Powershell.
You can use the Microsoft Graph API - Create User:
Register a Native Client App on Azure AD, assign the "Microsoft Graph" > "Read and Write Directory Data" permission.
string authority = "https://login.windows.net/yourdomain.onmicrosoft.com";
string clientId = "{app_client_id}";
Uri redirectUri = new Uri("http://localhost");
string resourceUrl = "https://graph.microsoft.com";
HttpClient client = new HttpClient();
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl,
clientId, redirectUri, PromptBehavior.Always);
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + authenticationResult.AccessToken);
string content = #"{
'accountEnabled': true,
'displayName': 'testuser',
'mailNickname': 'test',
'passwordProfile': {
'forceChangePasswordNextSignIn': true,
'password': 'pass#wd12345'
},
'userPrincipalName': 'testuser#yourdomain.onmicrosoft.com'
}";
var httpContent = new StringContent(content, Encoding.GetEncoding("utf-8"), "application/json");
var response = client.PostAsync("https://graph.microsoft.com/v1.0/users", httpContent).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
Related
We are using the generic OpenID Connect middleware to use Google as an external identity provider using IdentityServer3. We don't have MetadataAddress or any special TokenValidationParameters set up (so it should be getting the metadata based on Authority, and then filling in parameters based on that, which should be fine). We are getting the following error highly intermittently. Other questions I've come up with that have this error seem to involve incorrect custom validation and are not intermittent.
Authentication Failed : Microsoft.IdentityModel.Protocols.OpenIdConnectMessage : System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException : IDX10500 : Signature validation failed.Unable to resolve SecurityKeyIdentifier : 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token : '{"alg":"RS256","kid":"74e0db263dbc69ac75d8bf0853a15d05e04be1a2"}.{"iss":"https://accounts.google.com","iat":1484922455,"exp":1484926055, <snip more claims>}'.
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)in c : \ workspace \ WilsonForDotNet45Release \ src \ System.IdentityModel.Tokens.Jwt \ JwtSecurityTokenHandler.cs : line 943
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken & validatedToken)in c : \ workspace \ WilsonForDotNet45Release \ src \ System.IdentityModel.Tokens.Jwt \ JwtSecurityTokenHandler.cs : line 671
at Microsoft.IdentityModel.Extensions.SecurityTokenHandlerCollectionExtensions.ValidateToken(SecurityTokenHandlerCollection tokenHandlers, String securityToken, TokenValidationParameters validationParameters, SecurityToken & validatedToken)in c : \ workspace \ WilsonForDotNet45Release \ src \ Microsoft.IdentityModel.Protocol.Extensions \ SecurityTokenHandlerCollectionExtensions.cs : line 71
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler. < AuthenticateCoreAsync > d__1a.MoveNext()
The kid referred to is presently the 2nd of 3 keys at https://www.googleapis.com/oauth2/v3/certs.
Our Options look like this:
var options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Google",
Caption = "Sign in with Google",
Scope = "openid email profile",
ClientId = clientId,
Authority = "https://accounts.google.com/",
AuthenticationMode = AuthenticationMode.Passive,
RedirectUri = new Uri(baseUri, "identity/signin-google").ToString(),
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = context => HandleException(context),
RedirectToIdentityProvider = context => AddLoginHint(context),
},
SignInAsAuthenticationType = signInAsType
};
app.UseOpenIdConnectAuthentication(options);
Is this a configuration issue or some sort of transient error that needs to be dealt with (and if so how)? The end client is doing one retry (though I don't think it's waiting at all) but that doesn't seem to help.
The problem here seems to have been caused by the fact that the default ConfigurationManager caches results for 5 days, while Google rolls over their keys much more frequently (more like daily). With the default behavior of the OWIN middleware, the first request with an unrecognized key will fail, and then on the next request it will refresh the keys.
The solution is to pass in your own ConfigurationManager with a faster AutomaticRefreshInterval. Most of the settings below are as in OpenIdConnectAuthenticationMiddleware
private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var baseUri = new Uri("https://localhost:44333");
var googleAuthority = "https://accounts.google.com/";
var metadataAddress = googleAuthority + ".well-known/openid-configuration";
var httpClient = new HttpClient(new WebRequestHandler());
httpClient.Timeout = TimeSpan.FromMinutes(1);
httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
var configMgr = new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, httpClient)
{
// Default is 5 days, while Google is updating keys daily
AutomaticRefreshInterval
=
TimeSpan
.FromHours(12)
};
var options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Google",
Caption = "Google",
Scope = "openid email profile",
ClientId = GoogleClientId,
Authority = googleAuthority,
ConfigurationManager = configMgr,
AuthenticationMode = AuthenticationMode.Passive,
RedirectUri =
new Uri(baseUri, "identity/signin-google").ToString(),
SignInAsAuthenticationType = signInAsType
};
app.UseOpenIdConnectAuthentication(options);
}
We need to update users claims after they log in to our website. This is caused by changes in the users licenses done by another part of our system.
However I am not able to comprehend how to update the claims without logout/login.
Rigth now this is our client setup
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
//user validation host
Authority = UrlConstants.BaseAddress,
//Client that the user is validating against
ClientId = guid,//if not convertet to Gui the compare from the server fails
RedirectUri = UrlConstants.RedirectUrl,
PostLogoutRedirectUri = UrlConstants.RedirectUrl,
ResponseType = "code id_token token",
Scope = "openid profile email roles licens umbraco_api umbracoaccess",
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
_logger.Info("ConfigureAuth", "Token valdidated");
var id = n.AuthenticationTicket.Identity;
var nid = new ClaimsIdentity(
id.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
// get userinfo data
var uri = new Uri(n.Options.Authority + "/connect/userinfo");
var userInfoClient = new UserInfoClient(uri,n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
var licens = id.FindAll(LicenseScope.Licens);
nid.AddClaims(licens);
// keep the id_token for logout
nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
_logger.Info("ConfigureAuth", "AuthenticationTicket created");
},
RedirectToIdentityProvider = async n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token").Value;
_logger.Debug("ConfigureAuth", "id_token for logout set on request");
_logger.Debug("ConfigureAuth", "Old PostLogoutRedirectUri: {0}", n.ProtocolMessage.PostLogoutRedirectUri.ToString());
n.ProtocolMessage.IdTokenHint = idTokenHint;
var urlReferrer = HttpContext.Current.Request.UrlReferrer.ToString();
if (!urlReferrer.Contains("localhost"))
{
n.ProtocolMessage.PostLogoutRedirectUri = GetRedirectUrl();
}
else
{
n.ProtocolMessage.PostLogoutRedirectUri = urlReferrer;
}
_logger.Debug("ConfigureAuth", string.Format("Setting PostLogoutRedirectUri to: {0}", n.ProtocolMessage.PostLogoutRedirectUri.ToString()));
}
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
n.ProtocolMessage.RedirectUri = GetRedirectUrl2();
n.ProtocolMessage.AcrValues = GetCurrentUmbracoId();
_logger.Debug("ConfigureAuth", string.Format("Setting RedirectUri to: {0}", n.ProtocolMessage.RedirectUri.ToString()));
}
},
}
});
We get our custom claims in SecurityTokenValidated
var licens = id.FindAll(LicenseScope.Licens);
nid.AddClaims(licens);
I do not follow how to get this without doing a login? Any help is highly appreciated.
That's a reminder that you should not put claims into tokens that might change during the lifetime of the session.
That said - you can set a new cookie at any point in time.
Reach into the OWIN authentication manager and call the SignIn method. Pass the claims identity that you want to serialize into the cookie.
e.g.
Request.GetOwinContext().Authentication.SignIn(newIdentity);
Using OAuth2.0 to authenticate user with access token however GoogleAuthorizationCodeTokenRequest return new access token but it return null for getRefreshToken token following is my code:
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, SCOPES)
.setAccessType("offline")
.setApprovalPrompt("force").build();
String authorizeUrl =
flow.newAuthorizationUrl().setRedirectUri(CALLBACK_URI).build();
System.out.println("Paste this url in your browser: \n" + authorizeUrl + '\n');
GoogleAuthorizationCodeTokenRequest tokenRequest =
flow.newTokenRequest(dfaToken);
tokenRequest.setRedirectUri(CALLBACK_URI);
GoogleTokenResponse tokenResponse = tokenRequest.execute();
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(new NetHttpTransport())
.setJsonFactory(new JacksonFactory())
.setClientSecrets(CLIENT_ID, CLIENT_SECRET)
.build();
credential.setFromTokenResponse(tokenResponse);
System.out.println(credential.getAccessToken());
System.out.println(credential.getRefreshToken());
Is there any configuration we need to set up in our project??
Trying to make a REST call through SharePoint's SP.WebRequestInfo.
I'm getting the error "The remote server returned the following error while establishing a connection - 'Unauthorized'." trying to call https://graph.windows.net/[Client]/users?api-version=2013-11-0.
I've successfully retrieved a access token.
Can you help me out why i'm getting this error?
Here is the code i'm using:
var url = "https://graph.windows.net/xxx/users/?api-version=2013-11-08";
var context = SP.ClientContext.get_current();
var request = new SP.WebRequestInfo();
request.set_url(url);
request.set_method("GET");
request.set_headers({
"Authorization": token.token_type + " " + token.access_token,
"Content-Type": "application/json"
});
var response = SP.WebProxy.invoke(context, request);
context.executeQueryAsync(successHandler, errorHandler);
function successHandler() {
if (response.get_statusCode() == 200) {
var responseBody = JSON.parse(response.get_body());
deferred.resolve(responseBody);
} else {
var httpCode = response.get_statusCode();
var httpText = response.get_body();
deferred.reject(httpCode + ": " + httpText);
}
}
The code for retrieving the token is:
this.getToken = function (clientId, clientSecret) {
var deferred = $q.defer();
var resource = "https://graph.windows.net";
var formData = "grant_type=client_credentials&resource=" + encodeURIComponent(resource) + "&client_id=" + encodeURIComponent(clientId) + "&client_secret=" + encodeURIComponent(clientSecret);
var url = "https://login.windows.net/xxxxxx.onmicrosoft.com/oauth2/token?api-version=1.0";
var context = SP.ClientContext.get_current();
var request = new SP.WebRequestInfo();
request.set_url(url);
request.set_method("POST");
request.set_body(formData);
var response = SP.WebProxy.invoke(context, request);
context.executeQueryAsync(successHandler, errorHandler);
function successHandler() {
if (response.get_statusCode() == 200) {
var token = JSON.parse(response.get_body());
deferred.resolve(token);
} else {
var httpCode = response.get_statusCode();
var httpText = response.get_body();
deferred.reject(httpCode + ": " + httpText);
}
}
function errorHandler() {
deferred.reject(response.get_body());
}
return deferred.promise;
};
Erik, something is strange here - you are using the client credential flow from a JavaScript client - this reveals the secret issued to the client app to the user of the JS app.
The client credential flow also requires the directory admin to grant directory read permission to the client application - not sure if this was already configured - nevertheless it must only be used with a confidential client, not a public client like a JS app.
Azure AD does not yet implement the implicit_grant oauth flow using which a JS client app can acquire an access token on behalf of the user over redirect binding (in the fragment). This is a hugh-pro requirement that we're working on - stay tuned.
I am trying to connect with my shopify shop through the google javascrip. The schema for authentication should be something similar to the one you can find on google documentation for twitter. I'am trying the following code, but I always get the error:{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}
function getInfofromshopify() {
var handle = "01-02-0316_cmt_utensili"
var urljson ="https://mysitename.myshopify.com/admin/products.json?handle="+handle;
var oAuthConfig = UrlFetchApp.addOAuthService("shopify");
oAuthConfig.setAccessTokenUrl("https://mysitename.myshopify.com/admin/oauth/access_token");
oAuthConfig.setRequestTokenUrl("https://mysitename.myshopify.com/admin/oauth/access_token");
oAuthConfig.setAuthorizationUrl("https://mysitename.myshopify.com/admin/oauth/authorize");
oAuthConfig.setConsumerKey(API_KEY);
oAuthConfig.setConsumerSecret(Shared_secret);
var options =
{
"oAuthServiceName" : "shopify",
"oAuthUseToken" : "always"
};
var response = UrlFetchApp.fetch(urljson,options);
var responsestr = response.getContentText();
var result = Utilities.jsonParse(responsestr)
}
This worked for me:
var url = "https://<YOUR_SHOP>.myshopify.com/admin/products.json";
var username = "<YOUR_SHOPIFY_API_KEY>";
var password = "<YOUR_SHOPIFY_API_PASSWORD>";
var response = UrlFetchApp.fetch(url, {"method":"get", "headers": {"Authorization": "Basic " + Utilities.base64Encode(username + ":" + password)}});