Okay, so we are building an iPhone app to hit a Sharepoint 2013 site that is hosted on Office 365. If I were building this in C#, which I've already done, I would have the luxury of just using TokenHelper.cs to get me most of the way there. Unfortunately, as far as I know, there is no TokenHelper for Objective-C yet.
So here's the deal, we can already successfully get the OAuth authentication/authorization page to come up and we successfully get an Authorization Code back.
After this point we were stumped for a bit because we knew that we were missing the realm id in the POST for obtaining our Access and Refresh tokens. I finally figured out how TokenHelper does this and we've duplicated that. (This was an additional call to /_vti_bin/client.svc where you expect to get a 401 so that you can pull the realm id out of the header)
We now have a realm id that, from what I've read in documentation and TokenHelper and seen in Fiddler, needs to then get used in the following 2 ways: within the URL construction for the POST as well as for the resource value in the header for that POST.
So the POST url looks like this:
accounts.accesscontrol.windows.net/{realm id}/tokens/oauth/2
Our resource value looks like this:
resource=00000003-0000-0ff1-ce00-000000000000%2f{realm url}%40{realm id}
This at least connects fine and accepts our POST. Unfortunately, we are getting the following message back:
ACS50012: Authentication failed. ACS90011: The realm '' is not a configured realm of the current service namespace.
This message makes me think that there may be a configuration issue, but I really can't be sure.
Has anyone else tried performing OAuth against a 365 site yet within Objective-C and had success?
I can post code as well, but I was trying to shy away from that initially.
I recently came across the same problem and have a feeling it may be the same issue you are seeing.
The correct POST request for OAuth is as follows:
POST https://accounts.accesscontrol.windows.net/<REALM_GUID>/tokens/OAuth/2
x-www-form-urlencoded params:
grant_type:authorization_code
client_id:<CLIENT_ID>#<REALM_GUID>
client_secret:<CLIENT_SECRET>
code:<AUTH_CODE>
redirect_uri:<REDIRECT_URI>
resource:00000003-0000-0ff1-ce00-000000000000/<SHAREPOINT_AUTHORITY>#<REALM_GUID>
The major gotcha for me was that the value of the "client_id" required the realm id appended to the client id. Not including the realm id will throw an "ACS90011: The realm '' is not a configured realm of the current service namespace."
HTH
Related
This question already has an answer here:
Handling JWT bearer token from ADFS
(1 answer)
Closed 1 year ago.
We have a basic use case to connect to webserver and get an ack back but having issues in Authentication.
Scenario : Feature sample
Given url <>
And header Content-Type= 'application/json;'
And header AuthScheme='KEBEROS' #hasnt helped though
When request <>
And method POST
Then status 200
Error in logs:
'You were not able to be authenticated using SPNEGO'
I have tried few options to add VM arguments for KRB5 but didnt seem to help.
Let me know if any else faced this and how you handled this in config. We are checking the option to have a custom class for http but wanted to check if any property can be defined correctly above or in config.
As long as you can figure out the right cookies and headers, you should be able to get it to work.
Also refer this answer: https://stackoverflow.com/a/51150286/143475 - yes, it is possible you need to depend on some .NET code to get you the token, but there are various ways to do this.
Note that for the sake of testing, you could consider standing up a service only for testing in your intranet - that will give you the right "magic" header that is needed.
And note that Karate can do browser-automation, so if it means you need to perform a sign-in using a browser and get the cookies, consider that: https://github.com/intuit/karate/tree/master/karate-core
I am very new to MS Graph and Office 365 and have made good progress. I am an O365 Global Admin for my organisation (a school) and have app development experience. There is a lot of scope for using MS-Access databases in our context for "globally" managing the O365 content. eg contacts, distribution lists and planner tasks. We want to manage these from an on-premises ms-access database or two and with an admin person authenticating the ms-graph activity, ideally.
So, to test, I created a new db and have managed to get it to consume the following endpoint using VBA but with no user authentication for now.
https://graph.microsoft.com/v1.0/groups
However, when I try
https://graph.microsoft.com/v1.0/planner/plans/with my plan id here
I get 401 - Unauthorized: Access is denied due to invalid credentials.
So, clearly my Application registration is wrong or my authentication or both! I have spent hours searching for examples and help and because of the evolving nature of the ecosystem I am finding it pretty hard to work out what I should do now (as opposed to a year or two ago).
The authorisation that generates the access_token that works to allow me access to the groups is:
POST
https://login.microsoftonline.com/{my tenant id here}/oauth2/token
grant_type=client_credentials
client_id={my client id}
client_secret={my url encoded secret} resource=https://graph.microsoft.com
but using that same access_token for the planner tasks throws the 401 error.
My app permissions look like this:
I presume this is because of the difference between the Application and Delegated types but have not fully grasped it all yet. And, I suspect I am using the wrong authentication flow anyway. :-(
So, my questions are:
1. Do my permissions look right?
2. Is my authentication flow correct? Should I be using these instead? ie have I been working from old information?
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/token
As you can tell I have become somewhat confused. If anyone can point me in the right overall direction given what I am attempting that would be so helpful.
Thanks so much,
Murray
1. Do my permissions look right?
Yeah undoubtedly, your azure portal permission seems alright. You need dedicated permission for that also need to grant admin consent which you have done perfectly shown on screen shot.
2. Is my authentication flow correct?
As you are using Client Credentials Grant Flow request format seems alright. But I doubt this flow is suitable for the API you are trying to call. because this API requires dedicated permission.
3. Should I be using these instead?
Since this API need dedicated permission you could use authorization code grant flow.
Follow below steps to get your token using Authorization Code grant flow
Get Authorization Code:
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default
Request Token oauth2/V2.0/token with your code:
Request URL: https://login.microsoftonline.com/common/oauth2/V2.0/token Or https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token
Method: POST
Request Body Format
client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here
Decode Token:
You could decode your token on https://jwt.io/ and make sure you have required permission on your azure portal.
4. Have I been working from old information?
No, Information has no issue so far I have gone through.
Note: For for details implementation of Authorization Code grant flow you could take a look official docs
So this type of error is being reported on a lot of community boards over the course of the last year with no acceptable answer we could find. We have just started our journey integrating with Google Home and created a Home Automation Action and we are getting a similar error …
{
insertId: "10wvnj2fyb1thy"
logName: "projects/bitdog-home-f69bd/logs/actions.googleapis.com%2Factions"
Show matching entries
Hide matching entries
Add field to summary line
receiveTimestamp: "2018-12-06T13:28:13.939975519Z"
resource: {
labels: {
action_id: "SMART_HOME_SYNC"
project_id: "bitdog-home-f69bd"
version_id: ""
}
type: "assistant_action"
}
severity: "ERROR"
textPayload: "SYNC: Request ID 742344561631232315 failed with code: OPEN_AUTH_FAILURE"
timestamp: "2018-12-06T13:28:13.931998358Z"
}
This shows on Google Home app as "Couldn't update the setting, check your connection"
The OAuth service logs show a successful account linking and a successful refresh_token request. Google does not attempt a SYNC call to the Action handler from what we can tell.
We have other systems using the OAuth server and they are working well and we are little lost on how to proceed to debug this issue. We created a support ticket today but I don't feel confident that we will get meaningful help.
We have also tried using the Google Home app on Android and iOS. We have tried changing the default browser from Chrome to Firefox. Nothing has changed the outcome. We also made sure that our access_token was in JWT format to see if google was sensitive to token size or format and nothing worked. We even made sure that the Google Home app user matched the user logged into the browser.
Help!
I did get it working. It was already working with an Amazon Echo Skill but it seems that Google's implementation (OpenAuth) is a bit more strict. I changed my access_token from a proprietary encrypted token format to a legit signed JWT token. I also removed expires_in from the response and it started working, not sure if it was the access_token JWT token format or removal of expires_in. I'm happy I can move on. If I get a chance, I will test to see which change made it work and comment here again.
Thank you.
To anyone with this problem–
I had to take multiple steps to resolve this issue, which are not clearly outlined in any documentation.
As per Google support:
Please adjust your account linking implementation from implicit to auth code flow then perform test again.
On the documentation for OAuth account linking, it says there are two methods of authentication: implicit and auth code. Apparently, only the auth code flow works for smart home.
I am using the Actions on Google Node.js library. While poking through the documentation, I found that:
[The SYNC request fulfillment] should return a valid response or a Promise that resolves to valid response.
The problem is that I was doing a database operation (which took time), so I couldn't simply return a value when it was ready; I had to return a Promise insead, then fulfill that promise later.
Hopefully this is helpful to anyone stuck on this reoccurring issue! Basically, check your auth flow and make SYNC is returning a valid JS object on time.
I was facing the same issue from last 2 weeks and was wonder when saw it is a 3 steps problem.
Check your SYNC intent is properly parsed
Incorrect Response Structure (Verify here-Smart Home SYNC Data Validator)
Device Response time-out should be less than 5 sec.
You can check Link
My problem started when I connected by Sonoff Bridge.
So I got it working by removing my 'Sonoff Bridge' and connecting it to Google Home. (All mu light are now working). Added the Bridge again to Sonoff and using IFTTT to connect to my Bridge
the last couple of days I implemented the autodiscovery/auth flow for UCWA against Skype for Business Online and AzureAD. When I'm done and having the URL to the application directory (+ the OAuth2 Credentials) I save those into our internal system. So later on I want to create online meetings with this data. The URL to the applications directory looks like this: https:\/\/webpoolam42e10.infra.lync.com\/ucwa\/oauth\/v1\/applications\/101331226048\/onlineMeetings\/myOnlineMeetings
If I do this within the first minutes of retrieving the data it works just fine. But later on it seems, that the application directory is gone. I'm getting this response:
body":"{\"code\":\"NotFound\",\"
subcode\":\"ApplicationNotFound\",\"message\":\"An error occurred. Please retry. If the problem persists, contact your support team.\"}
Status Code is 404.
Later on I even tend to get 401 errors that mean unauthorized.
I suspect the application server going away and only being temporarily available. I got a refresh token and a valid access token, so this wont be a problem. I've got no clue what is going on there and wasnt able to find help in the docs. So maybe one of you got any advice - I'd be really thankful!
Side-Info:
I'm doing all this in PHP and I only have user-interaction at the initial authentication. I save the refresh token and all other things I need, so that my server-side application can use the authorization in long term.
Reporting here part of my reply to another question:
Keeping a UCWA App always online:
If you need to achieve that, you need to understand and implement correctly the concepts explained here me Dashboard, especially at Reporting activity section:
call reportMyActivity every 4 minutes max.
maintain an active P-GET with the Events Channel
handle possible timeouts on the Events Channel
handle possible DELETE events (on the Events Channel) the server can send for the application, for which you'll have to regenerate your app Application dashboard
reporting app's activity, and keeping a valid open P-GET with Events Channel are both very important!
I'm implementing the Socrata API to be able to parse publicly-available data from the City of Chicago open data set. I am really just concerned about the data itself, so I did not initially think that I would need to implement OAuth2 through an app exposed via ngrok to be able to GET the data.
My initial attempt was to take the GET requests mentioned in their documentation and try to get responses through Postman.
Here's an example of such an attempt:
I also added my Socrata App Token as a param in the querystring, but the same message was shown.
So I tell myself, ok, maybe they deprecated GET requests without making the client go through OAuth2. If they didn't deprecate these GET requests, I would prefer not to have to deal with OAuth2, but I began implementing the authentication process and everything went successfully until I got to the following instructions found here:
I have every single value that needs to be included in that POST request except for 'authorization_type'. Where does this come from? I tried leaving 'authorization_type' in as a string, but received a response similar to the 'Invalid username or password' message in the top image in this question.
Are you only accessing public datasets from Chicago's data portal? From your screenshot it looks like you're trying to access the Building Permits dataset, which is public.
Authentication is only required for modifying datasets or accessing private data, so chances are very good you don't even need to authenticate. Just include an application token with your request for throttling purposes.
Glad to help you figure out your OAuth workflow, but it sounds like it might be unnecessary.