I am developing a web application for Office 365 for business. I authorize it with my admin account. So I have access token for calling REST APIs on behalf of admin user.
Is there a way to call APIs on behalf of another user inside my organization?
Or is there any other way to get the list of another user's files in OneDrive?
You need to get the app only token to access data belonging to other users.
Please follow the steps here to register the app and then follow these to get the required token
Related
We have a problem consenting permissions and obtaining access tokens to call MSGraph API. Our product is like follows:
We have an API that works with MSGraph. Until now, we have been using Aplication permissions to access resources as mail and calendar.
We would like to start using Task To-Do API and it only supports Delegated permissions.
Our API works with multiple tenant and multiple users in each tenant.
We use admin consent to give all necesary permissions and generate a token aftewards to make requests to MSGraph (Aplication permissions endpoints). With these new changes, is there a way to generate a token valid for To-Do API directly from an administrator, or is mandatory that each user signs in to create a personal auth token valid for this API? We would like to avoid the proccess of user sign in as our API is meant to work behind another application we do not develop after administrator has given consent.
Thank you in advance
In your case, you are using client credentials flow and with that you can not have signed in user or delegated permissions as MS Graph Todo APIs only support delegated permissions.
For you to use the To-Do Graph APIs, you have to can incorporate user signin. If this not possible in your scenario, then you can upvote this feature request - Allow Graph API calls to work with both todo tasks and plannerTasks using application permissions
I'm planning on building a G suite integration with my existing SaaS site.
I want Gsuite admins to allow access for their organisation. So I only want "domain install" possible.
After this has been done users can be imported from Google into our application. Users should be able to use SSO to login but I don't want each user having to pass the consent screen.
I also want the app to have readonly access to the calendar of the user.
What is confusing for me: do I need to create a regular web app integration or a Service account integration? I don't really need offline access but I want to avoid all users having to grant access individually.
Here it says: The user sees the OAuth Consent screen only once; if you’re using a service account to allow a domain admin accept terms on behalf of the domain users, then the end users must never see the OAuth consent screen.
So does that mean only service accounts allow this?
Yes, using a service account you can install and authorize one app for all your domain user impersonating the admin account. In such a way, your users won't have to authorize the app individually.
You will have to enable domain wide delegation in order to impersonate the admin account when using a service account.
Reference
Service Account
Is there any way of authenticating a user via the Office 365 REST API, without registering an application first?
For example, the documentation of Microsoft Graph has numerous authentication scenarios, including how an application can
Get access on behalf of a user
but there is no such scenario for a user calling the REST API with some credentials (e.g., username and password) and gets authentication tokens as a response, so that they can subsequently use the rich functionality provided.
The Azure Active Directory Authentication Libraries (ADAL) provide user-level authentication functionality, but they do not expose the REST API.
There is no way to call the Microsoft Graph without registering an app first. All calls to the graph are authenticated using a OAuth2 flow (of which there are several) and all require an app to be registered.
For your question, I think we can use background daemons or services to get authorize the user.We can use the following steps:
Get access without a user.
We can refer to this document to learning more information.
2.Authorize the user
When we get the user's profile by using the access token in the step one, then we can authorize him by checking him is exist in our system.
I want to pull periodic reports via Google Seller API. Is there a way, to login into Seller account without having to go via regular OAuth redirection ?
It would make no sense to try to use a service account to access AdEx, which is owned by a user account. You need to obtain a refresh token for the user account, store it somewhere, then use it to obtain an access token whenever you need to access the API. This answer gives the steps to follow How do I authorise an app (web or installed) without user intervention? (canonical ?)
So I am creating an application for my google apps domain. It will have its very own google apps account associated with it, from which it can store/retrieve/manipulate data.
The application should use this google account alone and the user should have no indication that it is using a google account. Is there a way to programmatically authenticate my entire application and not prompt the user authenticate/authorize?
I think you are looking for two legged OAUTH.
You can generate a OAUTH token and secret in the control panel of Google Apps and assign the authorized scopes to this token/secret pair. For instance, you can authorize access to the calendar of all users in your Google Apps domain using the token/secret.
You can then programmatically access the calendars of all users.
Because this token/secret is authorized by the Google Apps domain administrator, individual users do not need to grant access anymore. That is why this is called two legged Oauth, whereas three legged Oauth requires user interaction to obtain a token/secret for an individual user.
This question on SO might interest you too.