I'm trying to build an spFx app, that uses a different user to access lists and libraries than the logged in user. The logged in user won't have the permissions to access the lists directly but only via the app. But I can't find a way to initialize sp for a different user than the currently logged in user.
The standard method just gives me the logged in user:
sp.setup({
spfxContext: this.context
});
The setup method for nodejs looks promising but won't work within an spFx app:
sp.setup({
sp: {
fetchClientFactory: () => {
return new SPFetchClient("{your site url}", "{your client id}", "{your client secret}");
},
},
});
I also calling sharepoint via MSAL:
sp.setup({
sp: {
fetchClientFactory: MsalClientSetup({
auth: {
authority: "https://login.microsoftonline.com/mytentant.onmicrosoft.com",
clientId: "00000000-0000-0000-0000-000000000000",
redirectUri: "https://mytentant.sharepoint.com/sites/dev/SitePages/test.aspx",
},
}, ["https://mytentant.sharepoint.com/.default"]),
},
});
But as soon as I access sp I get this error:
Unhandled Rejection (Error): You must supply absolute urls to
MsalClient.fetch.
Also I don't see any option to provide the client secret in this MSAL logic.
I hope anybody can point me in the right direction. Thanks in advance!
Related
I'm trying to add Google authentication to my Azure Functions app which will be used from a Svelte static web app (SWA). The SWA uses Google Identity (https://accounts.google.com/gsi/client) to both authenticate and then retrieve an access_token. Authentication is performed using a standard Google Identity sign in button. I've tried One Tap prompt as well with the same result.
google.accounts.id.initialize({
client_id: googleClientId,
callback: handleCredentialResponse,
});
google.accounts.id.renderButton(
button,
{ theme: 'outline', size: 'large' }, // customization attributes
);
User authenticates, works fine and I get a JWT id_token containing name email image etcetera. It's a bit annoying the user has to then again go through the whole process of selecting their account, but I guess that's the Google experience. Once I'm ready to do function calls I then proceed to authorize:
function getAccessToken() {
return new Promise((resolve, reject) => {
const client = google.accounts.oauth2.initTokenClient({
client_id: googleClientId,
scope: "openid",
callback: (response) => {
if (response.access_token) {
resolve(access_token);
} else {
reject(response?.error);
}
},
});
client.requestAccessToken();
});
}
This also works fine, I retrieve an access_token. I then proceed to call an Azure Function with this token in the header:
Authorization: Bearer <ACCESS_TOKEN>
This always results in a 401 response. I have tried setting all functions to anonymous to no effect.
I'm wondering if this has to do with scope. In the Google Console it's only possible to add Google specific scopes, which is why I retrieve an access_token for the openid scope.
I've also tried setting credentials to include since there might be cookies the Easy Auth layer would like to read from the web app to authenticate the user. CORS on the Azure Functions app is configured correctly for the host names used by the web app and Access-Control-Allow-Credentials is enabled on the Function App. This has no effect either.
Wow this was badly documented. After reading the Azure Functions and App Service Authentication blog post it seems an 'authentication token' needs to be retrieved from the functions app itself instead of an 'access token' from Google. After Google identification the id_token from the first step needs to be POSTed to https://<functions_app>/.auth/login/google with the following as body:
{
"id_token": "<id_token>"
}
This in turn returns something as follows:
{
"authenticationToken": "<authenticationToken>",
"user": { "userId": "<sid>" }
}
This authenticationToken then needs be be passed in the header to each function call as follows:
X-ZUMO-AUTH: <authenticationToken>
Edit: it seems this was fully documented, somehow I missed this.
I am using the Microsoft graph Javascript client library to get a refresh token for a user. I created an app that connects doctors and patients. I want to create and delete events on the doctors' calendars. I first need their authorization to access their outlook account. Unfortunately, when I make the api call to get the refresh token, I get back an access token and an id token but no refresh token. Can someone please help?
Here's my code
const msalConfig = {
auth: {
clientId: process.env.OUTLOOK_OAUTH_CLIENT_ID,
authority: process.env.OUTLOOK_OAUTH_AUTHORITY,
clientSecret: process.env.OUTLOOK_OAUTH_CLIENT_SECRET
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
console.log(message);
},
piiLoggingEnabled: false,
logLevel: msal.LogLevel.Verbose,
}
}
};
// Create msal application object
const ouathClient = new msal.ConfidentialClientApplication(msalConfig);
const response = await ouathClient.acquireTokenByCode(tokenRequest);
I am using node js.
This method can also be used to get the refresh token, Please refer this Microsoft documentation.To get refresh token
Client Credentials flow does not support user context thus no refresh token is supported in this case.
If you are using MSAL depending on whether you are using Public client (Mobile, Desktop or Single Page apps) where users sign-in to your app then you may need a refresh token and you should be using flows listed here
If you are using a private client like a serveside daemon then you dont need a refresh token.
I'm trying to connect WorkflowMax to my application and it's throwing the error "You don't have access to connect any WorkflowMax accounts".
Here's the server side code (NodeJS):
const oauth2 = simpleOauthModule.create({
client: {
id: 'client id',
secret: 'secret key',
},
auth: {
tokenHost: 'https://identity.xero.com',
authorizeHost: 'https://login.xero.com',
tokenPath: '/connect/token',
authorizePath: '/identity/connect/authorize',
},
options: {
authorizationMethod: 'body',
}
});
const authorizationUri = oauth2.authorizationCode.authorizeURL({
redirect_uri: 'example.com/_oauth2',
state: Random.id(),
scope: 'openid profile workflowmax'
});
The user account I'm using does have the "Authorise 3rd Party Full Access" permission ticked in the WorkflowMax staff settings. I've waited about a day for the permissions to update and tried it on other accounts.
Is there anything else I need to do to allow WorkflowMax Oauth 2?
Here's an image of what it's throwing:
I can see you have included the correct scopes. If your staff permission is set correctly you should have access to the account. You will need to use your staff account to go through the consent screens. The setting should be an instant update you don't need to wait for it to take effect.
Unfortunately I can't provide any more assistant here. I have replicated this in my environment and worked fine.
This has been baffling me for hours now, so I have been trying to get EasyAuth working using different providers.
I am using this on Azure Functions, so let's say my function address is
https://xxx.azurewebsites.net
If I want to login into the service using a Google account I send my post request along with token received from Google to the following address
https://xxx.azurewebsites.net/.auth/login/google
This gives me a converted token back.
However if I do the same thing with a Microsoft account using the following details
Request Body:
{ "access_token": "token-string-value" }
Endpoint:
https://xxx.azurewebsites.net/.auth/login/microsoftaccount
It gives me the following error instead of a converted token
401 Unauthorized You do not have permission to view this directory or page.
--
I am using Msal JavaScript library to get my authentication token. Also I am testing these in Postman which makes it easy to understand what the problem is before I deal with the code and other stuff.
-- Update 1.0
This does seem like a bug, as even if I try to navigate to the
https://xxx.azurewebsites.net/.auth/login/microsoftaccount
It shows me the following
This URL works for other providers, Google, Facebook and Twitter. For all of them it redirects the user to the provider's login page.
According to the error page and the address bar contents, the client doesn't exist which could be referring to the application created on Azure to allow my website access the API. But everything has been setup correctly.
It would be helpful if someone from Azure We App Services can take a look at this.
I have created the Application and added the application ID and Secret int eh App Services page.
-- Update 2.0
So after hours of investigation, I managed to get the URL working, shockingly it was due to wrong information given on Azure portal. The link in Authorization and Authentication section of App Service is pointing to a new platform to register applications, which is purely for Azure AD based users.
For the external users to be able to login the application need to be registered in the following portal
https://apps.dev.microsoft.com
After registering the application here, and added the details in the App Service blade, the URL to EasyAuth is working.
However this doesn't resolve my issue. I still need a JavaScript library that gives me valid token which I can pass to EasyAuth endpoint.
Strangely the token taken from MSAL is not valid for Microsoft account. It just gives me the same error that my access is unauthorised. This means I probably need to use a different library to get a different token. I'd appreciate it if still someone can help me with this.
Below is a short sample code I am using to retrieve token and pass it to another function n which call EasyAuth endpoint and post the token along.
var applicationConfig = {
clientID: "xxxx-xxx-xxxx-xxxx",
authority: "https://login.microsoftonline.com/9fc1061d-5e26-4fd5-807e-bd969d857223",
graphScopes: ["user.read"],
graphEndpoint: "https://graph.microsoft.com/v1.0/me"
};
var myMSALObj = new Msal.UserAgentApplication(applicationConfig.clientID, applicationConfig.authority, acquireTokenRedirectCallBack,
{ storeAuthStateInCookie: true, cacheLocation: "localStorage" });
function signIn() {
myMSALObj.loginPopup(applicationConfig.graphScopes).then(function (idToken) {
//Login Success
acquireTokenPopupAndCallMSGraph();
}, function (error) {
console.log(error);
});
}
function signOut() {
myMSALObj.logout();
}
function acquireTokenPopupAndCallMSGraph() {
//Call acquireTokenSilent (iframe) to obtain a token for Microsoft Graph
myMSALObj.acquireTokenSilent(applicationConfig.graphScopes).then(function (accessToken) {
// accessToken
}, function (error) {
console.log(error);
});
}
I managed to find what was causing the problem.
So basically only Live Connect SDK generated tokens are valid on
https://xxx.azurewebsites.net/.auth/login/microsoftaccount
We were using MSAL which was generating tokens valid only on Azure Active Directory. I have been in touch with Azure Support, and have asked them to update the documentation. It currently is very confusing as none of these have been explained in the EasyAuth documentations.
We decided to go with Azure AD B2C, as it's more reliable and turns out cheaper for us.
In case anyone would like to use EasyAuth with Microsoft Account, the following is showing how to get access token from Live SDK
WL.Event.subscribe("auth.login", onLogin);
WL.init({
client_id: "xxxxxx",
redirect_uri: "xxxxxx",
scope: "wl.signin",
response_type: "token"
});
WL.ui({
name: "signin",
element: "signin"
});
function onLogin(session) {
if (!session.error) {
var access_token = session.session.access_token;
mobileClient.login('microsoftaccount', { 'access_token': access_token }, false)
.then(function () {
console.log('TODO - could enable/disable functionality etc')
}, function (error) {
console.log(`ERROR: ${error}`);
});
}
else {
console.log(`ERROR: ${session.error_description}`);
}
}
Reference to
< script src="//js.live.net/v5.0/wl.js">
Good day! I’m trying to implement a Passwordless login using auth0 node package. Basically I’m trying to send magic link through email without getting the email value in the browser, so I’m getting the email from an API.
Note: The email that has been pulled from other API is already registered in Auth0
The problem was when I receive the link in my Inbox and click it, I’m getting the Opt-in that I should allow the app to access the profile, which is not the path that I’m expected to see. So here’s my code:
const AuthenticationClient = require('auth0').AuthenticationClient
app.get('/sendmagiclink', function(req, res) {
let auth0 = new AuthenticationClient({
domain: [Auth0 Domain],
clientId: [Auth0 Client ID],
clientSecret: [Auth0 Client Secret]
})
var data = {
email: 'myemail#gmail.com',
send: 'link',
authParams: {
connection: [My Connection]
} // Optional auth params.
};
auth0.passwordless.sendEmail(data, function (err) {
if (err) {
// Handle error.
}
});
})
Also, another problem with my code is the connection name which automatically sets to email rather than the custom connection name I created.
Your thoughts would be greatly appreciated.
I assume you are getting the Consent screen here. Are you using a localhost URL? In that case it's not possible to skip it, but it won't appear when your app is in production, or if you set up a domain in /etc/hosts file. More info here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients
The name of the passwordless email connection is usually email.