First I prepared the repo as described in the contributing guide by cloning it, restoring and building it.
When running yarn start the app starts on localhost. I sign in using a Microsoft account (no work or school account) and eventually I am presented with HTTP 431 (Request Header Fields Too Large).
There is a header Cookie which is 8563 characters long and appears to be an aggregation of several JWTs. It goes like this:
msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.client.info=eyJ1aWQiOiIwMDAwMDAwMC0wMDAw...; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.login.request|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=http://localhost:3000/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.authority|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=https://login.microsoftonline.com/common/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.nonce.idtoken|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=950c6017-41e9-4244-a874-02e7d8d40f47; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.state.acquireToken|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=eyJpZCI6ImM4NTkx...;msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.login.request|965aad0f-7740-44db-8be3-8a21d26c4f2d=http://localhost:3000/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.authority|965aad0f-7740-44db-8be3-8a21d26c4f2d=https://login.microsoftonline.com/common/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.nonce.idtoken|965aad0f-7740-44db-8be3-8a21d26c4f2d=5b3e211d-6756-4892-b50d-17cdebbd18b3; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.state.acquireToken|965aad0f-7740-44db-8be3-8a21d26c4f2d=eyJpZCI6Ijk2NWFhZDBm
This goes on for quite some time and somewhere in between there is this:
msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.error.description=Silent authentication was denied. The user must first sign in and if needed grant the client application access to the scope 'user.read people.read user.readbasic.all contacts.read calendars.read presence.read.all tasks.readwrite presence.read user.read.all group.read.all tasks.read openid profile'.;
Of course I have accepted all those permission requests, even revoked them once and regranted to start over clean.
What am I not getting?
I use Win 10, node 12.19.0 and VS Code 1.51.1. and access the provided app (Amazing Microsoft Graph Toolkit App - client ID a974dfa0-9f57-49b9-95db-90f04ce2111a) which is the default in the index.html file.
Thanks for any hints.
Related
I have an app that displays user's instagram media(like some of the dating apps).
Also, my app has been reviewed successfully for permissions - instagram_graph_user_profile and instagram_graph_user_media and is in live mode.
But in the Facebook Developer Console, the instagram icon is not turning up green.
Please refer the screenshot.
https://drive.google.com/open?id=1VnMHLqjTf1oRbvcm2g8Ol80AfB3JqMOg
Flow to display the media is as follows.
1. My app ask users to authorize using
https://api.instagram.com/oauth/authorize?client_id=instagram-app-id&redirect_uri=redirect_uri&scope=scope&response_type=code&state=state
2. Above api responds with a code.Then backend calls -
https://api.instagram.com/oauth/access_token
with params - client_id, client_secret, code, grant_type, redirect_uri
3. Once I receive token from above API, I request long lived token from short-lived token using -
https://graph.instagram.com/access_token?grant_type=ig_exchange_token&client_secret=xyz&access_token=abc
4. Using the long lived token, server requests user info using API -
https://graph.instagram.com/me?fields=id,username&access_token=abc
5. Using the same long lived token, server makes request to get user media using API -
https://graph.instagram.com/me/media?fields=id,media_type,media_url,username,caption,timestamp&access_token=abc
This flow works only for test users(Instagram test users who accepted invitation of being a tester in Instagram Developer Platform).
When non-test user tries to view media, on step 3, I get an error saying -
{ "error": {
"message": "Unsupported get request.",
"type": "IGApiException",
"code": 100,
"fbtrace_id": "A0A24rNXCScki9Ck-8J_55b" } }
Am I missing something?
This is how I see my Business API Settings.
Please refer the screenshot.
https://drive.google.com/open?id=1Dfdihf20krEcYEmoh8z43_a1T5UQStXr
Under my App review section, I do not see any relevant permission that needs to be reviewed again.
Edit 1 -
Note - My app is in beta mode (not yet live on play store).
Could this be the reason?
I just went through a similar process getting my app ready for the old API to officially depreciate. I finally found this— hope it helps:
https://developers.facebook.com/community/threads/2219648518091109/
"After your app has been approved, you can get the contract from your Business Manager. You need to do it on a Computer (mobile wont work) and have to be an Admin on the Business.
From your business Manager you just go to Business Info -> Business Contract (https://business.facebook.com/settings/info)
Please, let us others if this answer helped you!"
Thanks to Juanu for sharing!
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
So I'm using postman with the OAuth 2.0 process to try to authenticate against my WebApi over Azure Active Directory. I am still on the default project with the basic ValuesController, just trying to get authentication and authorization to work.
I've followed this video to setup postman, and as far as I can tell, I've configured the new applications in active directory as described.
The token exchange is working. And the Authorization Bearer {token} is being sent correctly. Here is an example token:
{Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyIsImtpZCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyJ9.eyJhdWQiOiJodHRwczovL2J1Y2tldHMub25taWNyb3NvZnQuY29tL2J1Y2tldHMtcmVzdC1hcGkyMDE2MDkwMzEwNDAzMSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzIwYmI2ZmEwLTU0OTItNDk0My05MjkwLWRiMWJkMTU3YjFkMS8iLCJpYXQiOjE0NzM5MTg3MDAsIm5iZiI6MTQ3MzkxODcwMCwiZXhwIjoxNDczOTIyNjAwLCJhY3IiOiIxIiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjlkZWVmMWFlLWU0MmYtNDg4ZC04MmY3LWUwMWRjYzNkMzE5NyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiSWppZGFraW5ybyIsImdpdmVuX25hbWUiOiJBeW8iLCJpcGFkZHIiOiI3MC4xNzMuNDAuMjIiLCJuYW1lIjoiQWRtaW4iLCJvaWQiOiJmMTljY2Q5ZC1iMDZhLTQ0MGUtYmE3Ni05NWRjNGE4NDY3ZjEiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJMMHkzeUVwRGdRMHV2MG0wZWNKcFFIeVpZNHkzYTk3UUpnNGl6WlpzZmNVIiwidGlkIjoiMjBiYjZmYTAtNTQ5Mi00OTQzLTkyOTAtZGIxYmQxNTdiMWQxIiwidW5pcXVlX25hbWUiOiJhZG1pbkBidWNrZXRzLm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6ImFkbWluQGJ1Y2tldHMub25taWNyb3NvZnQuY29tIiwidmVyIjoiMS4wIn0.NXpvslBXOpRNkmWQqj7XqVzloS3KoeSqPIlo-yUPGYkZ4bHPrAH6yD4sxMYz-19VIPFRDUMP-5h5hmaMKmuykjNUltz6wejQT9f4IeV6i7VtP3BlkfASZeAdKAiSjKh6ydV8PuJjV2HHh2WvxIKC3QQXzROwWAdeXLcgMTiKSBMULzFV8BsecgtI86_L2OISgbQZ2LgF137EPJoG7C4L1IO-10T1QIVl-Emy6AS0VKVxdzjCgiT-DFtccxME6n1CruoDy6mTKztcAkiFR1IlgY6Fvj-Y_goMQyxA5sCRebWnOQ5jeUKv4KNyNWOLJU_RiZYe0kj4IT3KDc9jjtHykg}
However, even though I get the token successfully and when I step through the debugger in VS, I see the token coming in, Authorization is failing. I get the following response:
{"Message":"Authorization has been denied for this request."}
The issue seems to be on the server side. When I override IsAuthorized to return true, it works.
In Azure, both applications are in the same directory with delegate permissions on.
Are there any logs I can check to see the exact denial reason? From there I can probably figure out what is going on.
I've turned on tracing, with:
// Web API configuration and services
var traceWriter = config.EnableSystemDiagnosticsTracing();
traceWriter.IsVerbose = true;
traceWriter.MinimumLevel = TraceLevel.Debug;
But it's not really telling me why I get the denial.
So it looks like the Azure AD Directory was somehow corrupted. I think maybe something went wrong with an original concept app that I created. For whatever reason, I cannot delete that app in the Azure portal, and thus can't delete the directory itself.
However, creating a brand new directory, unfortunately, seemed to fix it. I followed all of the same directions.
The only difference, is I added the following to the Web.config: <add key="owin:AppStartup" value="buckets_api.Startup"/>. Whereas, last time I added: <add key="owin:AutomaticAppStartup" value="false"/> to address an api startup issue I encountered with the new template. However, I don't believe that is what resolved the issue.
On a side note, I also noted that Chrome was unable to complete the token exchange in the popup browser without me re-launching the app as admin. I'm not sure if that was also related, as I was getting tokens before, so I don't think so. But I want to document what worked for me in its entirety, in case someone else encounters this in the future.
I have searched with the error which I found, Did not find any matching questions. So posting question. Appreciate if some one provides some pointers to proceed.
My goal is to access graph API in my desktop client. I have started using fiddler to experiment.
I have followed instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only
registered Web APP using Application Registration portal using my Microsoft work account.
Provided 'Read all users' full profiles in Delegated permissions
Requested token and Used the token in Authorization header to call the graph API, Getting following error.
https://graph.microsoft.com/v1.0/users
119
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
"date": "2016-05-11T00:46:23"
}
}
}
In my case, I got the same error after I used Quickstart (step 1), then configured automatically .net sample (step 2), then download the code sample (step 3) as shown in the picture below.
All steps was done successfully except step 3. Microsoft code generate, generate app id, and app secret in project successfully but the tenant was set to common in appsetting.json as seen in image below.
I thought it was a valid thing, but later found out that this caused the issue.
Solution:
I copied the Directory (tenant) ID, than replace common with tenant Id, and it worked. I am not sure if this is a bug in Azure Quickstart code generation.
This sample helped me understand the flows around app-only permissions.
https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/
Key takeaways for me:
Ensure you set up the app and specify the Application Permissions needed
Do have an admin grant the app permission to run against the relevant directory.
Get the relevant token:
Notice the scope in the request below is https://graph.microsoft.com/.default
POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
Use the token to request the relevant graph resource, eg:
GET https://graph.microsoft.com/v1.0/users/demouser01#[tenant-name].onmicrosoft.com/drive/root/children
Accept: application/json
Authorization: Bearer eyJ0eXAiOi
For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.
From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked.
GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
while generating new access token, make sure to replace tenant_id with the actual tenant id
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
You'll find that this document is a better set of instructions for app-only apps.
There are two issues from your description that stand out.
You'll need to make the call with an X509 certificate for app-only flows.
You need to set up app scopes, rather than delegated scopes on your app - delegated scopes are for delegate flows rather than app-only flows.
I am relatively new to sharepoint app development.
Trying to create a on premises, High Trust provider hosted app with App + User Policy. I have followed below document to create a demo.
https://msdn.microsoft.com/library/office/fp179901(v=office.15)
http://blogs.msdn.com/b/russmax/archive/2014/06/23/part-1-intro-to-provider-hosted-apps-setup-the-infrastructure.aspx
I am facing few issue and I have some question to clarify, if anybody can help.
1) When I inspect my request in dev tools, it give me below form data.
SPAppToken:
SPSiteUrl:
SPSiteTitle:Home
SPSiteLogoUrl:
SPSiteLanguage:en-US
SPSiteCulture:en-US
SPRedirectMessage:EndpointAuthorityMatches
SPErrorCorrelationId:f069e89c-a0cd-20ce-a1c0-7db95db0334b
now when i inspect log with above corelation id, i am finding below errors.
-- Error when get token for app i:0i.t|ms.sp.ext|ab8ff461-bc75-4516-b475-b666ac47eec0#802f23e1-6e11-45d1-909c-07a7b0ab0ce2,
exception: Microsoft.SharePoint.SPException: The Azure Access Control
service is unavailable.
-- App token requested from appredirect.aspx for site: 92bfe5c4-7255-4b09-a89a-07e0e2b03622 but there was an error in
generating it. This may be a case when we do not need a token or when
the app principal was not properly set up.
-- Getting Error Message for Exception Microsoft.SharePoint.SPException: The Azure Access Control service is
unavailable.
a) I belive in high-trust app it shouldn't look for Azure ACS.
Is this error because of some incorrect configuration?
b) SPAppToken is null here. Is it null always in case of hig trust app?
2) Say I am logged into sharepoint with User A and trying to launch sharepoint app.
Within app code I want to get identity of logged in user(which is A). From below code i found that Request.LogonUserIdentity gives me identity of user A. But how can we sure that request is came from sharepoint only. I can copy the same app URL and paste in browser window and login with window credential and get the same result. So question is how can I verify if its legitimate request came from sharepoint only and no one is faking request.
ALos, when I inspect request in dev tools, its passing Authorization key in request header. What is use of this?
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity)) { clientContext.Load(clientContext.Web, web => web.Title); clientContext.ExecuteQuery(); Response.Write(clientContext.Web.Title); }
3) Also what happens if my app doesnt support windows authentication and only support FBA, is there any way to get user identity in this case?
Any help would be much appreciated.
Thanks
For issue #1: It looks to me that the step # 9 (Configure authentication settings) in this section (from the first MSDN article you have referred) was missed, i.e., 'ACS Control service' was selected instead of 'Use a Certificate' option.
For issue #2: There are helper methods in TokenHelper.cs to validate the AccessToken from the HttpRequest, which identifies the validity of the request.