I'm trying to use the Microsoft Graph API to write calendar events within my company.
First of all let me give you a little bit of context.
I'm building a node API that uses Microsoft Graph to write calendar events, so I configured my application inside the Azure Active Directory with the following application permission
I granted administrator consent as you can see from the picture.
I was also able to get the access token using msal-node
const graphToken = async () => {
const azureConfig = {
auth: {
clientId: process.env.CLIENT_ID,
authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,
clientSecret: process.env.CLIENT_SECRET,
},
}
const tokenRequest = {
scopes: [process.env.GRAPH_ENDPOINT + '/.default'],
}
const cca = new msal.ConfidentialClientApplication(azureConfig)
const authRespose = await cca.acquireTokenByClientCredential(tokenRequest)
if (authRespose) {
return authRespose.accessToken
}
return null
}
The only thing that sounds me a little odd, is the scope set to [process.env.GRAPH_ENDPOINT + '/.default'] I tried to change it ex. [process.env.GRAPH_ENDPOINT + '/Calendar.ReadWrite'] but it fires an excepion.
The next thing I'm able to do is retrive all calendars a user have right to write to, using the following Graph endpoint:
https://graph.microsoft.com/v1.0/users/user#example.com/calendars
Now the issue, when I try to do a POST request to write a calendar event for example
POST https://graph.microsoft.com/v1.0/users/{userId}/calendars/{calendarId}/events
{
"subject": "Test",
"body": {
"contentType": "HTML",
"content": "Test"
},
"start": {
"dateTime": "2022-11-09T16:00:00",
"timeZone": "Europe/Rome"
},
"end": {
"dateTime": "2022-11-09T17:00:00",
"timeZone": "Europe/Rome"
}
}
Note that calendarId is one of the id's from the previous call
(Not the default calendar of userId)
I got a 403 Forbidden with the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
I also decoded my token to see if I get some info on the root cause of the 403 error, I found this:
...
"roles": [
"Calendars.Read",
"User.Read.All",
"Calendars.ReadWrite"
],
...
It seems correct to me.
I don't get if it is a scope issue, an authentication issue or something I'm missing, can someone pinpoint me in the right direction?
Thanks in advance
Basically it was my fault.
I messed up with calendar permissions and my test user had a reviewer permission instead of an author one on the calendar I had to write to
once I was able to identify this issue and change the permission the call response was what expected.
I leave this answer as a reference for anyone that encounter this issue
Thanks anyway
Related
I am new to development in teams and botkit. There is a bot that is up and running on Teams.
I want to share a file generated by the bot to the user(send a file from bot to the user) on teams. I have read the Microsoft-teams document. According to which first step is to send a Message requesting permission to upload which I am able to complete successfully. Below is the code, I have used to show the card to the user to ask for permission.
controller.hears('download', ['message_received', 'direct_message', 'direct_mention'], function (bot, message) {
var reply = { text:"" ,attachments: [] }
var ticketObj = {
"contentType": "application/vnd.microsoft.teams.card.file.consent",
"name": "result.txt",
"content": {
"description": "Text recognized from image",
"sizeInBytes": 4348,
"acceptContext": {
"resultId": "1a1e318d-8496-471b-9612-720ee4b1b592"
},
"declineContext": {
"resultId": "1a1e318d-8496-471b-9612-720ee4b1b592"
}
}
}
reply.attachments.push(ticketObj)
bot.reply(message, reply)
})
According to the Microsoft-teams document, when the user will click on accept button, the bot will receive an Invoke activity with a location URL.
But, when I click on the accept, nothing goes to my bot. It shows the error message: "This card action is not supported".
How to provide support for this card action?
Adding answer from comment section for more visibility:
Issue is resolved now. The issue was of uploading the manifest.json.
To send and receive files in the bot, set the supportsFiles property
in the manifest to true. This property is described in the bots
section of the Manifest reference.
The definition looks like this, "supportsFiles": true. If the bot does
not enable supportsFiles, the features listed in this section do not
work.
https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/bots-filesv4#configure-the-bot-to-support-files
Sample Link:
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/javascript_nodejs/56.teams-file-upload
I am working on a Microsoft Graph API app where i want to delete email messages from the inbox.
I do that by first getting the emails, putting the id from each email in an array and for each id in that array making a delete request to remove it from the inbox.
When I try and run my code i get the error
Error: Server responded to *request link* with status code 403:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "*request id*",
"date": "2020-06-03T09:12:06"
}
}
}
When making the delete request I pass in the same Access Token that i use to make the get request for getting the email data.
Here is my code:
// This is only the code for the delete request, passing the Access Token works aswell as passing the IDList array. It loops trough all the id's and tries to make a request. But the request fails
removeEmail(IDList, AccessToken);
function removeEmail(idList, accessToken) {
idList.forEach(ID => {
var deleteEmails = request('DELETE', `https://graph.microsoft.com/v1.0/me/messages/${ID}`, {
headers: {
'Authorization': `Bearer ${accessToken}`
}
});
deletedEmails = JSON.parse(deleteEmails.getBody('utf8'));
console.log(deleteEmails);
});
}
How can this be fixed so that it removes the messages from the inbox without any problems?
Thanks in advance!
What permissions have you added to your Microsoft Graph API app?
Deleting an email requires Mail.ReadWrite - https://learn.microsoft.com/en-us/graph/api/message-delete?view=graph-rest-1.0&tabs=http
On the other hand, getting a list of messages works with the following permissions - Mail.ReadBasic, Mail.Read, Mail.ReadWrite - https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http#permissions
To be able to both read and delete email messages, you need Mail.ReadWrite added to your app.
I have two image files uploaded to firebase storage:
capsule house.jpg was uploaded through the UI (clicking the Upload file button).
upload_64e8fd... was uploading from my backend server (node.js) using this:
const bucket = fbAdmin.storage().bucket('gs://assertivesolutions2.appspot.com');
const result = await bucket.upload(files.image.path);
capsule house.jps is recognized as a jpeg and a link to it is supplied in the right hand margin. If I click on it, I see my image in a new tab. You can see for yourself:
https://firebasestorage.googleapis.com/v0/b/assertivesolutions2.appspot.com/o/capsule%20house.jpg?alt=media&token=f5e0ccc4-7916-4245-b813-dbdf1838556f
upload_64e8fd... is not recognized as any kind of image file and no link it provided.
The result returned on the backend is a huge json object with the following fields:
"selfLink": "https://www.googleapis.com/storage/v1/b/assertivesolutions2.appspot.com/o/upload_64e8fd09f787acfe2728ae73158e20ab"
"mediaLink": "https://storage.googleapis.com/download/storage/v1/b/assertivesolutions2.appspot.com/o/upload_64e8fd09f787acfe2728ae73158e20ab?generation=1590547279565389&alt=media"
The first one sends me to a page that says this:
{
"error": {
"code": 401,
"message": "Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.",
"errors": [
{
"message": "Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.",
"domain": "global",
"reason": "required",
"locationType": "header",
"location": "Authorization"
}
]
}
}
The second one gives me something similar:
Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
The rules for my storage bucket are as follows:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if true;
}
}
}
I'm allowing all reads and writes.
So why does it say I don't have access to see my image when it's uploaded through my backend server?
I'd also like to know why it doesn't recognize it as a jpeg when it's uploaded through my backend server, but it does when uploaded through the UI, but I'd like to focus on the access issue for this question.
Thanks.
By default, the files are uploaded as private, unless you change your bucket settings, as mentioned here. The below code is an example of how to change the visibility of your documents.
/**
* {#inheritdoc}
*/
public function setVisibility($path, $visibility)
{
$object = $this->getObject($path);
if ($visibility === AdapterInterface::VISIBILITY_PRIVATE) {
$object->acl()->delete('allUsers');
} elseif ($visibility === AdapterInterface::VISIBILITY_PUBLIC) {
$object->acl()->add('allUsers', Acl::ROLE_READER);
}
$normalised = $this->normaliseObject($object);
$normalised['visibility'] = $visibility;
return $normalised;
}
You can check how to set that via console, following the tutorial in the official documentation: Making data public
Besides that, as indicated in the comment by #FrankvanPuffelen, you won't have a generated URL for the file to be accessed. You can find more information about it here.
Let me know if the information helped you!
The other answer helped me! I have no idea why the Console had me make those security rules if they won't apply...
Based on nodejs docs (and probably other languages) there is a simple way to make the file public during upload:
const result = await bucket.upload(files.image.path, {public: true});
This same option works for bucket.file().save() and similar APIs.
The requirement:
I have to develop the following feature: user clicks a button on my site and then a Google's dialog is popping-up asking for permissions on his calendar for my application. If the user accepts that - my server application (let's say NodeJS) should be able to read his events any time (not only for 30 days).
Here is what I've tried:
I was following these tutorials (both NodeJS and Browser) https://developers.google.com/calendar/quickstart/nodejs
NodeJS tutorial gives me permissions on my account (while I need the users to give permissions on their accounts).
Browser tutorial pop-ups the dialog and asks for permissions. If user accepts the request, then it ends up with permission on the calendar only for 1 hour (so even if I can use the token from my server it doesn't solve the problem). To check it just try to print the Promise's result from handleAuthClick by modifying it a bit
gapi.auth2.getAuthInstance().signIn().then(res => {console.log(res)});
Look at the expires_in (or expires_at) in the printed result:
{
"El": "117770076845340691060",
"Zi": {
"token_type": "Bearer",
"access_token": "ya29.Glb...zr8Yx",
"scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email openid email profile",
"login_hint": "AJDLj...WlQ",
"expires_in": 3600,
"id_token": "eyJhvGciO...sHxw6HcA",
"session_state": {
"extraQueryParams": {
"authuser": "1"
}
},
"first_issued_at": 1528384733411,
"expires_at": 1528388333411,
"idpId": "google"
},
"w3": {
"Eea": "117770076845340691060",
"ig": "Bryan Gray",
"ofa": "Bryan",
"wea": "Gray",
"Paa": "https://lh3.googleusercontent.com/-zQ8KN1XZtJI/AAAAAAAAAAI/AAAAAAAAAAA/AB...e/s96-c/photo.jpg",
"U3": "alex#khealth.ai"
}
}
Access tokens are only usable for an hour you need a refresh token which will allow you to request a new access token when ever you need one. To do that you need to request offline access.
gapi.signin2.render('glogin', {
'class': 'g-signin',
redirect_uri: 'postmessage',
onsuccess: signInCallback,
cookiepolicy: 'single_host_origin',
accesstype: 'offline',
theme: 'dark'
});
Code from this sample Google oauth2
My Push notification code for toast notification is not running when run through scheduler in azure. my code is
function EWSReminder() {
push.wns.sendToastText01("https://sin.notify.windows.com/? token=Ysdfdhjkdjksj%2fAScjFHiwrUbS6y%2bvumj9sKUqhklsdfjgfdslcvl;dklslkskdlsdl;9XD58CMJebd04EknQY0Hgaxed6%uirutiuritubW%2fRcpdvapAYlMcnWLE360%3d", {
text1: "Sample toast from sample insert"
}, {
success: function(pushResponse) {
console.log("Sent push:", pushResponse);
}
);
}
I get this error
Error in script '/scheduler/EWSReminder.js'. Error: The options.client_id and options.client_secret must be specified as strings or the WNS_CLIENT_ID and WNS_CLIENT_ID environment variables must be set.
[external code]
at EWSReminder (</scheduler/EWSReminder.js>:2:16)
at </scheduler/EWSReminder.js>:1:13
[external code]
I can't figure out what the problem is pls help. I have applied code of all the microsoft samples available all have the same code, but none is working for me.
You need to set Client Secret and Package SID in Azure Portal (Push tab in your Mobile Service). These credentials can be obtained through Windows Store Developer Portal.
Even I too have the same issue and I have put the values in the portal which I took from the Windows Store Developer Portal.
The below code works for me but the above code doesn't as shown by Yesh.
var pushWNS = require('wns');
pushWNS.sendToastText01(uri, { text1: Name }, { client_id: 'xxx', client_secret: 'xxx' },
function (error, response)
{
if (!error)
{
// success code
}
else
{
// error handling
}
});
and also I wanted to know the difference between both the codes mentioned by me and Yesh