I have a web application and I want to give the ability for the user to connect his Outlook account with my web application.
Which will give the ability to create a meeting in his calendar once he adds it in the system.
I've create an Azure AD application, the user can login and generate an access token which I can create the meeting using Graph API.
and refresh token isn't working from backend service.
But my problem is that I need a permanent token so the user doesn't have to login again,
same as the outlook calendar app in slack.
Is there a specific configuration that I need to make this happen?
Thanks
Related
I want to develop a custom ASP.NET Web API which can be used to send out emails as a user using the Microsoft Graph API. I think this will be a Multi-tenant application. Below are few ideas I have and some questions:
I have a working ASP.NET MVC web application where different users can login using their unique credentials provided by us.
I have an "Email Setup" section in my web app. Every user will navigate to this section one-time and be redirected to the "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={{client_id}}&response_type=code&redirect_uri={{redirect_uri}}&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345"
On the consent screen user will sign in using their Microsoft Office 365 credentials and provide consent to my app.
On providing consent, user will be redirected back to my web app and I will get Access token for the code returned and store the access token in a SQL database.
User navigates to a page to send email, fills in the To, Subject, Body, Attachments etc. and clicks on the "Send" button.
On send button, my ASP.NET web app will call our custom Web API to send the email. The API will have an endpoint that knows the user and will get appropriate access token from the SQL database to send email on that user's behalf.
Questions:
Do I need to register an Azure App with type "Multi-tenant" since I want to support users from different tenants?
What kind of scopes/permissions will be required in order to "Send Email" as the user?
Do I need Delegated/Application permissions on the Azure side?
How can I ensure that the email that is sent, also gets saved to that user's "Sent Items" folder on Outlook?
According to the sending email graph api, we can see it provides the Application api permission, that means you can create an azure ad application and assign the Mail.Send permission to this api and using client credential flow to generate access token to call this api, so it's not necessary to creating a multi-tenant azure ad application via this way.
And certainly, if you insist on auth code flow to generate access token to using delegate permission to call the api, you should creating a multi-tenant application so that users from different tenant can generate access token through this azure ad application.
I can login to Outlook 365 in my web with MS Graph without user action. I'm using simple-oauth2 module and oauth2.ownerPassword.getToken method to generate tokens with username/password from my database.
I'd like embed Outlook.com in my web for each user (with their credentials).
Is there any way to do this?
Why would you do that?
If your application already lets the user login with Azure Ad account, you could use the on-behalf-of flow. Then your web application can request a token for another resource by sending the access token of the user for the current application.
If they aren’t logged in to Azure ad already you could have a look at the client credentials flow. Then your application will just get a token with access to all mailboxes.
I want to send emails using Microsoft Graphs API from a backend service developed in node.js, that has no interactions with the user.
If I understand it correctly from this paragraph, if I use the Get access without user procedure, the administrator will have to give me some rights and then I will have those rights on every user account in the organization. This is not my goal, I only want to have those rights for one specific account, for which I have the login and password.
Is there a way to log in with an office365 account without user interaction?
Thanks :)
No. You need to have the user authenticate in order to obtain the initial access token and refresh token (to refresh your permission to access the account).
I am creating a Node JS (Express) web app that will display a user's Google Calendar events, once they have logged in.
There will be multiple users, with data such as name and email address stored in a database.
Once a user has logged in, how can I retrieve a user's Google Calendar events associated to them without requiring any additional user input?
I have implemented Google's quick start sample here https://developers.google.com/google-apps/calendar/quickstart/nodejs
However this provides only access to a single authenticated user (authenticated via a terminal authentication process), with no opportunity to request a calendar of another user.
-
Question
How can I authenticate multiple users via a signup page (rather than using the nodeJS terminal) and access these google calendar events later via the data stored in a database? (Server side, with no interaction required )
Thanks
You can try to use Domain Wide Delegation in the Service Account. It is stated here that:
If you have a Google Apps domain—if you use Google Apps for Work, for
example—an administrator of the Google Apps domain can authorize an
application to access user data on behalf of users in the Google Apps
domain. For example, an application that uses the Google Calendar API
to add events to the calendars of all users in a Google Apps domain
would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on
behalf of users in a domain is sometimes referred to as "delegating
domain-wide authority" to a service account.
Just remember that you need a service account here to enable the domain wide authority. For more information, just read this link. It also discussed here on how to create service account.
I've developed a feature on my web-site that allow to log-in using Azure.
So users in my web-site can sign-in using:
Azure (OAuth2). We're using a multi-tenant app. We're just using the application to log in users. So we don't really use the Access-Token to make requests. We just use the access-token to obtain the user email (decoding it with JWT).
Their own email-password they can set on my site.
This creates a problem:
Imagine an person that starts working in a company. The IT team give him an email that belongs to their azure account (with their account domain). This team also have an account on my site (configured with the same domains they use on Azure). So this user will try to log in my site using his credentials. We'll create his profile on their company account (due to the email domain). He sets his password. Sometimes he use Azure to log-in and sometimes he use his email-password to log-in.
The next month and, this person get fired. The IT team delete him from Azure. Although, the IT team forget about deleting him also on my site. So this user has permissions to sign-in with his email-password credentials and still be able to see private information (he can even delete private files).
I would like to know if there is a way to sync my app with every Directory that is using it. So I would be able to receive user action notifications (like user deletions). It would be great to receive a call to an endpoint with information about users important actions. This way we'll be able to delete the user also from our platform. So the company can forget about deleting an user on my site without having the stolen-information problem.
PS: I've seen you have a logout sync using SAML, but I wonder if we would be able to receive other kind of notifications, because we don't want to log-out the user when this logs-out from Azure.
If you have permission from the ex-user tenant administrator to access their directory, you can check if the user is listed or not by using Microsoft Graph API
I've been talking with microsoft support and there is no way of having microsoft calling our endpoint to receive some notifications.
So the only solution is ask for admin permission or, having the refresh_token from Oauth2, check the user still appears on Graph (https://graph.microsoft.com/v1.0/me).