How to config Azure AD app for email automation - python-3.x

I am using the below script for sending email using azure AD portal app but getting 403 response error. could someone please help to config azure AD app registered in the portal or any changes in below code to send email automatically.
I have added the below API Permissions at Azure AD App and Redirect URI also to my account.
https://login.microsoftonline.com/common/oauth2/nativeclient
IMAP.AccessAsUser.All, Mail.Read, Mail.Read, Mail.Read.Shared, Mail.ReadBasic, Mail.ReadBasic, Mail.ReadBasic.All, Mail.ReadWrite,
Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, Mail.Send, Mail.Send.Shared, MailboxSettings.Read, MailboxSettings.ReadWrite, Offline_access, POP.AccessAsUser.All, SMTP.Send
User.Read
Is the app with the admin consent able to access all the mailboxes in the organization or we can restrict the access to a particular mailbox (if we can do so, could you please explain how).
import requests
def ebiw_check() -> None:
"""
Checks EBIW Application access.
Returns: None
"""
try:
data = {
'tenant': 'tenant_id',
'client_id': 'client_id',
'client_secret': 'secret_id',
'grant_type': 'client_credentials',
'scope': 'https://graph.microsoft.com/.default'}
# url to fetch the microsoft token
#url = 'https://login.microsoftonline.com/tenant_id/oauth2/v2.0/authorize'
url = "https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token"
response = requests.post(url, headers=data, data=data, timeout=60).json()
print("Token fetched Successfully")
url = 'https://graph.microsoft.com/v1.0/users/sender_mail_id/sendmail'
body = {
"message": {
"subject": "Meet for meeting?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "reciver_email_id"
}
}
],
},
"saveToSentItems": "true"
}
header = {
"Authorization": "Bearer " + response["access_token"],
'Content-Type':"application/json"
}
import json
# read mail
#res = requests.get('https://graph.microsoft.com/v1.0/users/email_id/messages', headers=header)
# send mail
import urllib3
urllib3.disable_warnings()
response = requests.post(url, data=json.dumps(body), timeout=20, headers=header, verify=False)
print(response)
except Exception as e:
print(e)
ebiw_check()```

I tried to reproduce the same in my environment and got the same error as below:
Please Note: while using client credentials grant type you need to grant Application permissions and make sure to grant admin consent for the added permissions.
And I have added application permission and granted admin consent.
After granting the Application permissions I got result successfully, and returns 202 Accepted as response code.
Reference: user: sendMail - Microsoft Graph v1.0 | Microsoft Docs

Related

Microsoft OAuth 2.0 Authentication Failure - token_url Bad Request Error

I want to ensure that my OAuth 2.0 authentication credentials. So, I have client_id, client_secret, tenant_id, scope, token_url and auth_url. I am using third party app in order to send a email but, I get error in OAuth 2.0 part as Bad Request Error for token_url.
In this case, when grant_type='client_credentials', how can I fix token_url domains or subdomains?
-> token_url like that https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
If you are dominate the this subject, Could you please mention about OAuth 2.0 process?
I tried to changed grant_type parameter as client_credentials. Default was 'refresh_token'.
In this case, it returned like that error:
(530, b'5.7.57 Client not authenticated to send mail. Error: 535 5.7.3 Authentication unsuccessful [ZR2P278CA0041.CHEP278.PROD.OUTLOOK.COM 2023-02-14T08:10:26.343Z 08DB0DEF6EA5D39B]', 'myemail#myemail.com')
2023-02-14 11:10:26,378 INFO [decorators] [send_email] StatusMessage: An error occurred while sending the email: (530, b'5.7.57 Client not authenticated to send mail. Error: 535 5.7.3 Authentication unsuccessful [ZR2P278CA0041.CHEP278.PROD.OUTLOOK.COM 2023-02-14T08:10:26.343Z 08DB0DEF6EA5D39B]', 'myemail#myemail.com')
2023-02-14 11:10:26,379 INFO [decorators] [send_email] StatusMessage: Done with sending email...
So, what is the main problem in this case?
Thank you for your attention,
I tried to reproduce the same in my environment and got the results as below: 
I created an Azure AD Application and granted admin consent to Mail.Send API permission:
  
Based on your requirement you can make use of Client Credential Flow or Authorization Code Flow.
If you want user interaction then make use of Authorization Code Flow.
If you want to send mail as Application then make use of Client Credential Flow. 
I generated the access token via Client Credential Flow by using parameters like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
 
 To send the mail, I used below query:
https://graph.microsoft.com/v1.0/users/FromAddress/sendMail 
{
"message": {
"subject": "Test mail",
"body": {
"contentType": "Text",
"content": "Test"
},
"toRecipients": [
{
"emailAddress": {
"address": "****"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "****"
}
}
]
},
"saveToSentItems": "false"
}
 
 Reference: 
user: sendMail - Microsoft Graph v1.0 | Microsoft Learn

How to resolve Invalid Audience when I trye to verify if a user exists in Azure Active Directory?

Reading the documentation of Microsoft Graph, I found an example to connect to the Azure Active Directory and verify if a previously registered user exists.
The problem is that the example throws this error when I try to do the request:
Graph service exception Error code: InvalidAuthenticationToken
Error message: Access token validation failure. Invalid audience.
My code is practically the same as the documentation shows how to do it. This is the code:
List<String> scopes = new ArrayList<String>();
String clientId = "XXXXXXX";
String clientSecret = "YYYYYYYY";
String tenantId = "ZZZZZZZZZ";
String permissions = "api://" + clientId + "/.default";
scopes.add(permissions);
final ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId(clientId)
.clientSecret(clientSecret)
.tenantId(tenantId)
.build();
final TokenCredentialAuthProvider tokenCredentialAuthProvider =
new TokenCredentialAuthProvider(scopes, clientSecretCredential);
final GraphServiceClient graphClient =
GraphServiceClient
.builder()
.authenticationProvider(tokenCredentialAuthProvider)
.buildClient();
User resultUser = null;
try {
UserCollectionPage ucp = graphClient.users().buildRequest().filter(
"startsWith(mail,'" + email + "')").get();
List<User> result = ucp.getCurrentPage();
User u = result.get(0);
return new ResponseEntity<>(resultUser, HttpStatus.OK);
}
catch (IndexOutOfBoundsException e) {}
The connection to the Azure Active Directory looks fine, because it shows SUCCESS after login connection with the credentials:
2021-12-16 21:38:10.994 INFO 28072 --- [onPool-worker-1]
c.azure.identity.ClientSecretCredential :
Azure Identity => getToken() result for scopes api://570f77fe-098f-42cd-8a22-a29fa1d9c7c0/.default: SUCCESS
Another thing I want to show you, is the decoded token, may it can helps to bring me a solution:
Token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCIsImtpZCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCJ9.eyJhdWQiOiJhcGk6Ly81NzBmNzdmZS0wOThmLTQyY2QtOGEyMi1hMjlmYTFkOWM3YzAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zOTdlZDAzMS0zOTM1LTQwYjAtOWM2OS0xNGZkMTE2NGRiOGYvIiwiaWF0IjoxNjM5NzA4Mzk5LCJuYmYiOjE2Mzk3MDgzOTksImV4cCI6MTYzOTcxMjI5OSwiYWlvIjoiRTJaZ1lOaTJjRGEveHRHMmZldTAxUTdxVHI1MUFnQT0iLCJhcHBpZCI6IjU3MGY3N2ZlLTA5OGYtNDJjZC04YTIyLWEyOWZhMWQ5YzdjMCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzM5N2VkMDMxLTM5MzUtNDBiMC05YzY5LTE0ZmQxMTY0ZGI4Zi8iLCJvaWQiOiJiMmRlYTQ3NS1lODlhLTRiNjQtOGM5Mi0yMTg4MGM5ODhmMTYiLCJyaCI6IjAuQVNrQU1kQi1PVFU1c0VDY2FSVDlFV1Rial81M0QxZVBDYzFDaWlLaW42SFp4OEFwQUFBLiIsInN1YiI6ImIyZGVhNDc1LWU4OWEtNGI2NC04YzkyLTIxODgwYzk4OGYxNiIsInRpZCI6IjM5N2VkMDMxLTM5MzUtNDBiMC05YzY5LTE0ZmQxMTY0ZGI4ZiIsInV0aSI6IjNRQ1hJZGhMTVVLUnh3NkxwbndoQUEiLCJ2ZXIiOiIxLjAifQ.SU9kpXWs6fP-9T8QlPOJT8rKihPdtd38B8frOiS1I36T5LjewEyTmHgTEKWKgPhGxUHkmYWQxi6itNsn_4H_XUpgvVU2oNxoYsumQIW8rQZUx7hZeqxPrY3hbl_UfJgCtZ3J_0z6Ekk6QmBA-VBFEueq5lzjlARqYgTyQQ-uaNUtyrih4HyOkSkwcC8rs20UAjguunDVAzVucjweB0B2m9ib-uT1hhJlOihOwNtZ-A28QYNihp4r8HkriMaZMqutrdrVhH_--0OpF1O7lFEGEeDQeDozWi4SjboWJcODgsOGsZ7HxHd3Lx5mv8vJ0MvC8z_GIRWpuQqJuZ7eXQeFWg
Decoded token:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "Mr5-AUibfBii7Nd1jBebaxboXW0",
"kid": "Mr5-AUibfBii7Nd1jBebaxboXW0"
}.{
"aud": "api://570f77fe-098f-42cd-8a22-a29fa1d9c7c0",
"iss": "https://sts.windows.net/397ed031-3935-40b0-9c69-14fd1164db8f/",
"iat": 1639708399,
"nbf": 1639708399,
"exp": 1639712299,
"aio": "E2ZgYNi2cDa/xtG2feu01Q7qTr51AgA=",
"appid": "570f77fe-098f-42cd-8a22-a29fa1d9c7c0",
"appidacr": "1",
"idp": "https://sts.windows.net/397ed031-3935-40b0-9c69-14fd1164db8f/",
"oid": "b2dea475-e89a-4b64-8c92-21880c988f16",
"rh": "0.ASkAMdB-OTU5sECcaRT9EWTbj_53D1ePCc1CiiKin6HZx8ApAAA.",
"sub": "b2dea475-e89a-4b64-8c92-21880c988f16",
"tid": "397ed031-3935-40b0-9c69-14fd1164db8f",
"uti": "3QCXIdhLMUKRxw6LpnwhAA",
"ver": "1.0"
}.[Signature]
I get this token with this URL:
https://graph.microsoft.com/v1.0/
Using the following code:
url = new URL(urlHost);
token = tokenCredentialAuthProvider.getAuthorizationTokenAsync(url).get();
Work around on the error InvalidAuthenticationToken
Error message: Access token validation failure. Invalid audience
aud (audience) : this Identifies the intended recipient of the token - its audience.
Your API must validate this value and reject the token if the value doesn't match.
Based on your given details you are using version v1.0
In v1.0 tokens it can be the client ID or the resource URI used in the request, depending on how the client requested the token
To resolve this error, you need to make sure the audience in the token is https://graph.microsoft.com by using scope: https://graph.microsoft.com/.default during your token acquisition call
make sure below permissions are consented under the application whose client ID you are using during token acquisition call.
1)User.ReadWrite.All
2)Directory.ReadWrite.All
To provide consent, you need to navigate to:
1) Azure Portal > Azure Active Directory > App Registration > search the application using client ID > API Permissions > Add Permission
2) Click on the ADD Permission

How to assign roles to the users in Azure Active Directory

I am creating a login module for a web portal. For this I have created a create user api which creates the user in Azure Active Directory. Below is how I am doing this (in Python) using the Graph API:
user_data = {
"accountEnabled": True,
"displayName": "john",
"mailNickname": "john",
"userPrincipalName": "john#demo.onmicrosoft.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": False,
"password": <password>
}
}
jdata = json.dumps(user_data)
conn = http.client.HTTPSConnection('graph.microsoft.com')
conn.request("POST", "/v1.0/users", jdata, headers)
response = conn.getresponse()
This creates the user in active directory and I am also able to login fine. To login, I am using Python's adal library:
context = adal.AuthenticationContext(config_data['AUTHORITY_HOST_URL'] + '/' + config_data['TENANT'], validate_authority = config_data["TENANT"] != 'adfs')
email = email_name + "#" + config_data['TenantName']
token = context.acquire_token_with_username_password(config_data['RESOURCE'], email, raw_data['password'], config_data['RIPE_CONNECT_CLIENT_ID'])
I also need to assign roles to the user I am creating. For ex, I have education portal where when account is created, user also selects if he/she is student, teacher, parent. Based on this, I need to assign these roles to the user so that whenever user logs in, portal knows that this user is student so it will show all the relevant information and will not show other data which is not relevant to student. When a teacher will log in, it will show all the data.
How can I apply role based control system to users in azure active directory. I have gone through some of the documentation which Microsoft has provided on it but it looks like RBAC is only for the user to restrict their usage of any virtual machine/web service on Azure itself.
How can I use RBAC in my scenario. Is there any API available which I can use to further assign roles to users. What are the other alternatives for this.
Can anyone please give me some good suggestions? Please help. Thanks
EDIT:
config_data['RESOURCE']: https://graph.microsoft.com
Below is the response I get in token when authenticating users using adal library:
{
'tokenType': 'Bearer',
'expiresIn': 3599,
'expiresOn': '2020-10-26 13:19:56.881597',
'resource': 'https://graph.microsoft.com',
'accessToken': 'eyJ0eXAiOiJKV1QiLCJub25jZSI6IjU0aG03Z1psNmdqZVNmT1lCcF9jeVliTWtobklKVmdlV1Q2dHF2SnR3cTgiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9iYzkwNDExZi03NmI1LTRhYjMtYWZjYS0xM2QxMTI3N2U0NGIvIiwiaWF0IjoxNjAzNjk0Njk3LCJuYmYiOjE2MDM2OTQ2OTcsImV4cCI6MTYwMzY5ODU5NywiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhSQUFBQVJjSi9xVDNnZGY4M25Oc1dMaGV0Tlh1YTNWTEs3ZFF0NERyUXJQMEZUc009IiwiYW1yIjpbInB3ZCJdLCJhcHBfZGlzcGxheW5hbWUiOiJ1c2VyYWNjZXNzIiwiYXBwaWQiOiJjMDFiNjQ4Mi0yODhkLTQ1MzMtOGM5OC1hN2M1ZTgwNjdjYzgiLCJhcHBpZGFjciI6IjAiLCJpZHR5cCI6InVzZXIiLCJpcGFkZHIiOiIxMDMuMTA4LjUuMzQiLCJuYW1lIjoidGVzdHVzZXIiLCJvaWQiOiIxYmM3OTA4NS0yYTFmLTRmYWQtOGRhOC02NDdmNGI0YjI5MjciLCJwbGF0ZiI6IjE0IiwicHVpZCI6IjEwMDMyMDAwQTg5NURGQUQiLCJyaCI6IjAuQVN3QUgwR1F2TFYyczBxdnloUFJFbmZrUzRKa0c4Q05LRE5GakppbnhlZ0dmTWdzQUhFLiIsInNjcCI6IkFjY2Vzc1Jldmlldy5SZWFkLkFsbCBBY2Nlc3NSZXZpZXcuUmVhZFdyaXRlLkFsbCBBY2Nlc3NSZXZpZXcuUmVhZFdyaXRlLk1lbWJlcnNoaXAgQXBwUm9sZUFzc2lnbm1lbnQuUmVhZFdyaXRlLkFsbCBEaXJlY3RvcnkuQWNjZXNzQXNVc2VyLkFsbCBEaXJlY3RvcnkuUmVhZC5BbGwgRGlyZWN0b3J5LlJlYWRXcml0ZS5BbGwgR3JvdXAuUmVhZC5BbGwgR3JvdXAuUmVhZFdyaXRlLkFsbCBNZW1iZXIuUmVhZC5IaWRkZW4gUGVvcGxlLlJlYWQuQWxsIFBvbGljeS5SZWFkLkFsbCBVc2VyLkV4cG9ydC5BbGwgVXNlci5JbnZpdGUuQWxsIFVzZXIuTWFuYWdlSWRlbnRpdGllcy5BbGwgVXNlci5SZWFkIFVzZXIuUmVhZC5BbGwgVXNlci5SZWFkQmFzaWMuQWxsIFVzZXIuUmVhZFdyaXRlIFVzZXIuUmVhZFdyaXRlLkFsbCBVc2VyQWN0aXZpdHkuUmVhZFdyaXRlLkNyZWF0ZWRCeUFwcCBVc2VyQXV0aGVudGljYXRpb25NZXRob2QuUmVhZCBVc2VyQXV0aGVudGljYXRpb25NZXRob2QuUmVhZC5BbGwgVXNlckF1dGhlbnRpY2F0aW9uTWV0aG9kLlJlYWRXcml0ZSBVc2VyQXV0aGVudGljYXRpb25NZXRob2QuUmVhZFdyaXRlLkFsbCBVc2VyVGltZWxpbmVBY3Rpdml0eS5Xcml0ZS5DcmVhdGVkQnlBcHAiLCJzdWIiOiJld1lCcXVQWTRNN2RJazkyaWdQeUdhanlseTlkeFdNd2FxY0YzOHh1MVUwIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiYmM5MDQxMWYtNzZiNS00YWIzLWFmY2EtMTNkMTEyNzdlNDRiIiwidW5pcXVlX25hbWUiOiJ0ZXN0dXNlckByaXBlZGVtby5pbmZvIiwidXBuIjoidGVzdHVzZXJAcmlwZWRlbW8uaW5mbyIsInV0aSI6IjJGM0pHNW1FMDBXdlR3N2pzN2lDQUEiLCJ2ZXIiOiIxLjAiLCJ3aWRzIjpbImI3OWZiZjRkLTNlZjktNDY4OS04MTQzLTc2YjE5NGU4NTUwOSJdLCJ4bXNfdGNkdCI6MTUyODQ3NjExOX0.qk3t_nZ0q_koA4D1QZNeBm7DLbuYxiCMNn8TC85dyQz1eY1uIZ1jhj7248z0m4CvELtp27KR8-jssiCzkW1RdUgxShscV6jRbmMPcpbR5YZ5iNZOyQxQHDSAafM0s_mJjQAA8JTwxc4yAhcKOU2R5PcVX6zbeCi28weQDs9q6vke7fCN7UPX6MKQNELBopJnQaXrvc5J9UAhvA1-_FfONnjb3zxRqb55hQuAiKpn2pRzyfD_fHViuPD2UauTZ0-1rwLRPtuMWdPl2aZNGrftfgTCeN6kxUlvunta06cdtyN6XnILCCv7mlYecPPwZi4vd5SC0hIYNIaEgciBa1pwYg',
'refreshToken': '0.ASwAH0GQvLV2s0qvyhPREnfkS4JkG8CNKDNFjJinxegGfMgsAHE.AgABAAAAAAB2UyzwtQEKR7-rWbgdcBZIAQDs_wIA9P-wwH63zoGppq4f4Mz_zC7KfHZm8AYjxC3scz2h4HGhhHlmMNHFwj3IxE-EjTu0fgnzW-0YsRe4ELoB-3kD87Ok7NuF91NlLw2jnsVmfBu3WAbpqPDe_dGbJN6jKORHaXnSZFa32CvXht2wfj-VByzqXCBOIA3N6h61zptbSXvw4kRcobMAnftSgrzmIMwvVZIduEfnzkuSphwla_V0UxQhnAioVQUlJP90-5WRoVjLNqrmLQnaTUrY4ppeKL_u12HJZje1T2TmTHqTIfrGOZz_tvEDGsU06D2AbjTrVCfJget6D4UgKtUuo9L_dGS9PFO6OSMHSzAu32tXrB0pgxz9okm-so1ptpcSh1jtbrZATmYG4olBcEmKD_-meVrgQ7r_XH8GseBPXSSw_Bqvr55GDUbm0qGjDc3qUjHnBAeVZOPJVTKaTOK93UoUtv15DXB23UN-8xQjQ6ynjIUfC_mIJVr4m1K_sDjVAqvsvOX_gM0Zc0OwsUvB3-W_fIbr0CO1Rd38s2XfDOwkuqi8GCab6Jao5DC9rMDxekJmrc1efQvexdnijjGoTm__IGFZF2IUR_ARdJxt6UlPVrIpvAJROO5T7YIEpeR-fo6euq6txYDjiw4ImZCZ5E717lbRQsqiqLshV2TZNmf0rqRPesraBqBi8LfvEei7AdYMor5uMZpcnYPx2xKMnEnCrZBj1PkMc-quDhIoWyRNontHmTa2YbrFWGZBf61g2Y6J_P_5qySljS3JZted2A_jVd45ue2aBzcQVjxuXnKn0EEeoeq_dmxEylWxwoZYL_2hBnlNzgGD5gVXf24uL_RJvuIHat68UOSCt6hf4IwVVLGvNobhqPJO5v5YNvHdmP5P1n0KkEQJLzoyZuY',
'oid': '1bc79085-2a1f-4fad-8da8-647f4b4b2927',
'tenantId': 'bc90411f-76b5-4ab3-afca-13d11277e44b',
'userId': 'testuser#demo.info',
'isUserIdDisplayable': True,
'isMRRT': True,
'_clientId': 'c01b6482-288d-4533-8c98-a7c5e8067cc8',
'_authority': 'https://login.microsoftonline.com/bc90411f-76b5-4ab3-afca-13d11277e44b'
}
Response when using client id as resource:
{
'tokenType': 'Bearer',
'expiresIn': 3599,
'expiresOn': '2020-10-26 13:30:30.990330',
'resource': 'c01b6482-288d-4533-8c98-a7c5e8067cc8',
'accessToken': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJjMDFiNjQ4Mi0yODhkLTQ1MzMtOGM5OC1hN2M1ZTgwNjdjYzgiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9iYzkwNDExZi03NmI1LTRhYjMtYWZjYS0xM2QxMTI3N2U0NGIvIiwiaWF0IjoxNjAzNjk1MzMxLCJuYmYiOjE2MDM2OTUzMzEsImV4cCI6MTYwMzY5OTIzMSwiYWNyIjoiMSIsImFpbyI6IkUyUmdZTWllNDd1WE15NzlzZXVzTTVjRWZwemJiN2N4MjNOaGw2YklQZmxKVHJxOURDa0EiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiYzAxYjY0ODItMjg4ZC00NTMzLThjOTgtYTdjNWU4MDY3Y2M4IiwiYXBwaWRhY3IiOiIwIiwiaXBhZGRyIjoiMTAzLjEwOC41LjM0IiwibmFtZSI6InRlc3R1c2VyIiwib2lkIjoiMWJjNzkwODUtMmExZi00ZmFkLThkYTgtNjQ3ZjRiNGIyOTI3IiwicmgiOiIwLkFTd0FIMEdRdkxWMnMwcXZ5aFBSRW5ma1M0SmtHOENOS0RORmpKaW54ZWdHZk1nc0FIRS4iLCJyb2xlcyI6WyJkaXN0cmlidXRvciJdLCJzY3AiOiJBY2Nlc3NSZXZpZXcuUmVhZC5BbGwgQWNjZXNzUmV2aWV3LlJlYWRXcml0ZS5BbGwgQWNjZXNzUmV2aWV3LlJlYWRXcml0ZS5NZW1iZXJzaGlwIEFwcFJvbGVBc3NpZ25tZW50LlJlYWRXcml0ZS5BbGwgRGlyZWN0b3J5LkFjY2Vzc0FzVXNlci5BbGwgRGlyZWN0b3J5LlJlYWQuQWxsIERpcmVjdG9yeS5SZWFkV3JpdGUuQWxsIEdyb3VwLlJlYWQuQWxsIEdyb3VwLlJlYWRXcml0ZS5BbGwgTWVtYmVyLlJlYWQuSGlkZGVuIFBlb3BsZS5SZWFkLkFsbCBQb2xpY3kuUmVhZC5BbGwgVXNlci5FeHBvcnQuQWxsIFVzZXIuSW52aXRlLkFsbCBVc2VyLk1hbmFnZUlkZW50aXRpZXMuQWxsIFVzZXIuUmVhZCBVc2VyLlJlYWQuQWxsIFVzZXIuUmVhZEJhc2ljLkFsbCBVc2VyLlJlYWRXcml0ZSBVc2VyLlJlYWRXcml0ZS5BbGwgVXNlckFjdGl2aXR5LlJlYWRXcml0ZS5DcmVhdGVkQnlBcHAgVXNlckF1dGhlbnRpY2F0aW9uTWV0aG9kLlJlYWQgVXNlckF1dGhlbnRpY2F0aW9uTWV0aG9kLlJlYWQuQWxsIFVzZXJBdXRoZW50aWNhdGlvbk1ldGhvZC5SZWFkV3JpdGUgVXNlckF1dGhlbnRpY2F0aW9uTWV0aG9kLlJlYWRXcml0ZS5BbGwgVXNlclRpbWVsaW5lQWN0aXZpdHkuV3JpdGUuQ3JlYXRlZEJ5QXBwIiwic3ViIjoiXy01cmU1QWY0bjlsdFNETjdQaW5zOFN0QkZSTlR4QUxNaHZLM2QxZi1rNCIsInRpZCI6ImJjOTA0MTFmLTc2YjUtNGFiMy1hZmNhLTEzZDExMjc3ZTQ0YiIsInVuaXF1ZV9uYW1lIjoidGVzdHVzZXJAcmlwZWRlbW8uaW5mbyIsInVwbiI6InRlc3R1c2VyQHJpcGVkZW1vLmluZm8iLCJ1dGkiOiJsNUNBb2dlQm5VV0pzQnktVlBQTkFBIiwidmVyIjoiMS4wIn0.BkjC5-glOieUjsx3QoRs0LuWUbKlX__G9EIDHL3Uxmc1NnTFsAPgi1NdtZuimiP9r6Th976XaHzub_Z6cq_yzRVzQNEon41GGI_mrc3ejjCJnRjgxSTOhQlqiW99E58x6PATPzB2rjwpNj_BOkkAR8qWul-nUxYf071h0RLNqftUigLL85LpkLFSWgBmqp1o7m84Y5lmxPNBsMYoNw7z94lDlR79j-SjwbxhvFO-zaR2qXMw4U2yWHmjxhYx-VJ1goC_esgasutI5PUCndYewzH9pnG9uNTwDFaLpJS_FudQrPSKvr2mVFGqwpuEIfmbybj-Vd2ETPCIu8kZ-b__3g',
'refreshToken': '0.ASwAH0GQvLV2s0qvyhPREnfkS4JkG8CNKDNFjJinxegGfMgsAHE.AgABAAAAAAB2UyzwtQEKR7-rWbgdcBZIAQDs_wIA9P8SUM1Gw4jhn-3gCk4lIUZOSxhqfoeqN6nY7DXdcjtUqsWRbzeB09CdUPwJqkwr42WqsFgQhxRc3NMxt_ZSwut2ZvrapmKCTjXzp3mXzzk3PQulqUQCa0eIgtNhrmjQoQ57L-TkprJnzIrTh2mYQMWDsSJB82jva-5EPi0dmuqvwfmBuWAjJqh1RinAmBZOtl4B5GUqTDvblJMINqV6nNJRESGU51alKLyailCumYDzWlN-ljEdY3O6Y53EwvQBfLbKIckCChXs__Tn0q4UDfmiJpVPdG1K452Jm2IhgCYsp8Uy-pPd2l1ZNObH9Vr5cadkSoAJP9v4I4g7BGokV9J9GiysR7mENhxh_oe3Yao7Mhosmid7Nveplv3BkZxbmilWp_1-11tUrGWEIjz6O1j0i9_0o6UW54SYA5Wj4hFXQ6yQX0x2QBTj7xGJBzsiJ4F3gxuZ_wCZUqyqwkxvqAg8SkK1QUpPQpOlMrfoE-db5jJ4sL1WcQ71ZSD3cfJgLRtajCPIJsutQ-It8FE6rG9Qj8k_srKB6oSKQL62J_X7bUVGLdZRjDVNhWaowam_oz4oNm7z1YELAepOJvpV__PEETAFxpl_zl2WnizKAYsSDMg8U1NZJ11Ihvyh3B_yYUKjPA46iqcWgp0WeUc93L-ZYgIdFy3j1Ie3N7p-hYXCxSdMs0UUnQUcUwgbXnwCfPEwcDdQH0WqwKBAILRml0rR-PAcSY6hUV5g51mQ3mHpfGvTtkIbDEMj2LmwGR872-JOB4gxGn4wv48AuxOrtu-GydcwucY_ev9bKs72XdwXC0vi2KGoVqv5ElJdAqjquf2doxaegCAwFe4APYeQ-AdkyR30CpuJedmp5YBESNTNB4yljreHErk9UXKkCYcCQnk',
'oid': '1bc79085-2a1f-4fad-8da8-647f4b4b2927',
'tenantId': 'bc90411f-76b5-4ab3-afca-13d11277e44b',
'userId': 'testuser#demo.info',
'isUserIdDisplayable': True,
'isMRRT': True,
'_clientId': 'c01b6482-288d-4533-8c98-a7c5e8067cc8',
'_authority': 'https://login.microsoftonline.com/bc90411f-76b5-4ab3-afca-13d11277e44b'
}
I think what you are looking for is app roles and appRoleAssignments: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0&tabs=http.
You can define user roles in your app registration manifest, and then assign them through API calls to the endpoint linked above, or through the Azure AD management UI (Enterprise applications -> your app -> Users and groups).
Documentation for app roles: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Example defined role from the above docs:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Writer",
"id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
"isEnabled": true,
"description": "Writers Have the ability to create tasks.",
"value": "Writer"
}
],

Obtaining a Google Cloud access token for the Cloud SQL API to import a CSV in a Cloud Function

I'm looking for a python 3 example on how I would get an access token so I could import a csv file from GCS into Cloud SQL from a Google Cloud Function.
It's from a Cloud Function so the expectation is that the service account it runs under or the service account of the Cloud SQL instance would have access if given access, but that's not the case.
Response HTTP Response Body: {
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
Below is the code, am curious if anyone has some sample code on how I can get it to authenticate.
response = requests.post(
url="https://www.googleapis.com/sql/v1beta4/projects/redacted-project/instances/redacted-instance/import",
headers={"Content-Type": "application/json; charset=utf-8"
},
data=json.dumps({
"importContext": {
"fileType": "CSV",
"csvImportOptions": {
"table": "service_data"
},
"uri": "gs://redacted-bucket/log/" + blob.name + "",
"database": "redacted-db"
}
})
)
print('Response HTTP Status Code: {status_code}'.format(status_code=response.status_code))
print('Response HTTP Response Body: {content}'.format(content=response.content))
You should use the google-api-python-client to construct a service for this API instead of trying to make a request directly. This will allow it to pick up the default service account for the Cloud Function:
from googleapiclient.discovery import build
service = build('sql', 'v1beta4')
...
More details here: https://github.com/googleapis/google-api-python-client/blob/master/docs/start.md
1.From your Google Cloud Functions, get auth tokens by querying the metadata server assuming that your cloud function runs under default service account, which is App Engine Default service account and has the role Editor.
import requests
import json
METADATA_URL = 'http://metadata.google.internal/computeMetadata/v1/'
METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
SERVICE_ACCOUNT = 'default'
def import_table(request):
url = '{}instance/service-accounts/{}/token'.format(
METADATA_URL, SERVICE_ACCOUNT)
# Request an access token from the metadata server.
r = requests.get(url, headers=METADATA_HEADERS)
r.raise_for_status()
# Extract the access token from the response.
access_token = r.json()["access_token"]
body = json.dumps({'importContext': {'fileType': 'CSV',
'csvImportOptions': {'table': 'your_table'},
'uri': 'gs://temprun/your_dump_file',
'database': 'your_database'}})
response = requests.post(
url="https://www.googleapis.com/sql/v1beta4/projects/your_project/instances/your_sql_instance/import",
headers={"Content-Type": "application/json; charset=utf-8",
"Authorization": "Bearer {}".format(access_token)
},
data=body)
return str(response)
2.Using client libraries google-api-python-client:
def import_table(request):
from googleapiclient.discovery import build
service = build('sqladmin', 'v1beta4')
body = {'importContext': {'fileType': 'CSV',
'csvImportOptions': {'table': 'your_table'},
'uri': 'gs://temprun/your_dump_file',
'database': 'your_database'}}
service.instances().import_(project='your_project', instance='your_instance', body=body).execute()
return "Table was imported"
If successful, the response body contains an instance of Operation.
{'kind': 'sql#operation',
'targetLink': 'https://sqladmin.googleapis.com/sql/v1beta4/projects/your-project/instances/instance',
'status': 'PENDING',
'user': 'youraccount,
'insertTime': '2020-03-18T09:02:55.437Z',
'operationType': 'IMPORT',
'importContext': {'uri': 'gs://yourbucket/dumpfile',
'database': 'yourdatabase',
'kind': 'sql#importContext',
'fileType': 'CSV',
'csvImportOptions': {'table': 'sql-table}},
'name': 'cdcd53d4-96fe-41cf-aee4-12cf6ec6394e',
'targetId': 'instance_name',
'selfLink': 'https://sqladmin.googleapis.com/sql/v1beta4/projects/project/operations/cdcd53d4-96fe-41cf-aee4-12cf6ec6394e',
'targetProject': 'your-project'}
From within Google Cloud Functions you can get auth tokens by querying the metadata server.
There is an easier option, however: use the Cloud SQL Client Library. This will automatically get auth tokens for you.
Both of these options will authenticate with the PROJECT_ID#appspot.gserviceaccount.com service account. You may need to grant that account permissions if you are doing cross-project calls etc.

Authorize a client to browse Office365 Graph API

I am trying to develop a webapp to let a user browse his Active Directory contacts.
I have two accounts: one to register the application (developer account) and the other that would be the general user who have access to Office365 (user account).
I have set up a Javascript client following the Azure AD Graph API documentation.
By now, I am able to prompt the user to login and retrieve an access token, but when I try to make a request, I always get a 401 error.
I am pretty new to Azure, so I don't really understand if the problem is in my application configuration or in my code.
I am able to browse the Graph API explorer with my user account, so I don't think he's missing the authorization to access it.
I am really confused.
I try to add all the steps I am doing, hoping someone could point out the error.
Request 1:
Url: https://login.windows.net/{my tenant id or common (both are working) }/oauth2/authorize
Method: GET
Params:
redirect_uri // my redirect url, the same I registered in my application. It is just a page that returns the content of the URL
client_id // my client id
response_type // code
state // a random generated string, not required, but reccomanded
resource // https://graph.windows.net
Response 1:
code // A long string
state // The string I sent in the request
session_state // Another string
Request 2:
Url: https://login.windows.net/{my tenant id or common (both are working) }/oauth2/token
Method: POST
Params:
redirect_uri // it won't be necessary, but in some post they reccomand to add it
client_id // my client id
client_secret // my client secret
code // the code retrieved from Request 1
grant_type // authorization_code
state // a random generated string
resource // https://graph.windows.net
Response 2:
token_type // Bearer
access_token // a long token
id_token // exploring it with the JWT tool, shows it has the correct app id
refresh_token // a long code
resource // the same I sent in the request
scope // Directory.Read UserProfile.Read
expires_in
expires_on
a couple of other irrelevant keys
Request 3:
Url: https://graph.windows.net/{the domain the logged account belong to}/contacts
Method: GET
Headers:
Authorization: Bearer {the access token retrieved from request 2}
Params:
api-version = 1.5 // The value suggested in the documentation.
Response 3:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"values": null
}
}
This is the content of my Access Token:
{
typ: "JWT",
alg: "RS256",
x5t: "foofoofoofoo"
}.
{
aud: "https://graph.windows.net",
iss: "https://sts.windows.net/<SOMEGUID>/",
iat: 1418224761,
nbf: 1418224761,
exp: 1418228661,
ver: "1.0",
tid: "<SOMEGUID>",
amr: [
"pwd"
],
idp: "https://sts.windows.net/<SOMEGUID>/",
email: "myuseremail#contoso.com",
unique_name: "myuseremail#contoso.com",
sub: "barbarbarbar",
altsecid: "<an-id>",
family_name: "Last Name",
given_name: "First Name",
appid: "<MY APP ID>",
appidacr: "1",
scp: "Directory.Read UserProfile.Read",
acr: "1"
}
Answer
So, it looks like user must have the "can consent" authorization to authenticate to his own active directory, and this can be provided just by the administrator.
I posted the same request on the MSDN forum and I got the same answer.
I want sincerely thank #Jason Johnston and #Dan Kershaw since this problem was driving me nut and I would never be able to sort it out without their help.
Unfortunately I can award the bounty to just one of them, so I decided to give it #Jason Johnston for the great patience he had in supporting me in this and another discussion.
I believe if you actually want to browse the Active Directory, and not just read the authenticated user's profile, you need administrator consent for a web app. See http://msdn.microsoft.com/en-us/library/azure/b08d91fa-6a64-4deb-92f4-f5857add9ed8#BKMK_Graph
If you already knew that, then maybe it's a problem with how you've registered your app or the token itself. Make sure you've selected the appropriate permissions per that link in your app registration. If those look right, then you can check the token. There's a handy little token parser here: http://jwt.calebb.net/. Just paste in the value of your token and it will show you the decoded JSON. Look at the scope or scp parameters.
{
"typ": "JWT",
"alg": "RS256",
"x5t": "asdfsadfasdfsa"
}
{
"aud": "https://graph.windows.net/",
"iss": "https://sts.windows.net/<SOMEGUID>",
"iat": 1418158549,
"nbf": 1418158549,
"exp": 1418162449,
"ver": "1.0",
"tid": "<SOMEGUID>",
"amr": [
"pwd"
],
"oid": "<SOMEGUID>",
"upn": "admin#contoso.com",
"unique_name": "admin#contoso.com",
"sub": "askdljalsdfs",
"puid": "1003BFFD88937280",
"family_name": "Administrator",
"given_name": "MOD",
"appid": "<YOUR APP ID>",
"appidacr": "0",
"scp": "Directory.Read user_impersonation UserProfile.Read",
"acr": "1"
}
The token you've pasted is missing the OID and UPN, and that'll probably be why you are seeing this error. I'll have to go back and check how this access token could have been issued without those claims.

Resources