Has azure user ids changed their format? - azure

Good evening ppl at Microsoft!
I have an Mobile App Service at Microsoft Azure Located at South Central US named CeneamApp.
My backend is configured in a way so that my user can access only the data they capture, by making use of stable user ids.
so I had followed Adrian Hall book to create an a user id (https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/authorization/)with the following format sid:{identifier}as described here: (https://github.com/Azure/azure-mobile-apps-net-server/wiki/Understanding-User-Ids).
now all my userid had been changed and my user cant access their previous data capture by them, because somehow the provider or issuer or whatever is going on, doesnt let me retrieve a user id as described by the github project team wiki (in the previous link). so instead i receive a new userid but seem to be a random number:
I'm adding screenshot of the essential part of my code at my backend project which i debugged so i could understand whats going on and my dummy database where you can see an stable_id save on it and the new suppose stable_ids the next two rows.
Debugged code retrieving apparently a new userid from FACEBOOK could you confirm about this change? because I havent been able to understand this change.
Dummy Database with the lost userid and the new ones from other accounts database screenshot
if anyone has information about this odd behavior i would appreciate to enlight me, because this line of code:
principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier)?.Value;
used to give me a user id with this format: "sid:{identifier}", now the format is a the screenshot shows.

Same situation here. About to go live and suddenly this. Interesting that only one Mobile App based in the UK datacenter is affected. Other 2 apps which are in production and plus another Web App are still fine.
The full solution can only be provided by Azure team. But I have a workaround and and idea:
1. Workaround.
In the base controller I read and parse the token from the header. The sid is in the subject of the token. The code is simple:
string _userSid;
public string UserSid
{
get
{
if (_userSid == null)
{
KeyValuePair<string, IEnumerable<string>> auth_header = Request.Headers.FirstOrDefault(h => h.Key.Equals("x-zumo-auth", StringComparison.InvariantCultureIgnoreCase));
string token = auth_header.Value.FirstOrDefault();
if (!string.IsNullOrEmpty(token))
{
var jwtToken = new JwtSecurityToken(token);
if (jwtToken != null)
{
_userSid = jwtToken.Subject;
}
}
}
return _userSid;
}
}
I use it instead of getting this from ClaimPrinciple as per manual. I checked the Mobile App Server code does a very similar thing.
2. Idea.
Azure Mobile Apps have this parameter:
MobileAppsManagement_EXTENSION_VERSION it is recommended to set to latest. I think if we downgraded it to previous version it would work until Microsoft finds and solves the problem. The only issue is that I do not know and could not find the version number. May be someone knows and can post here?

Related

Is it ok to store user's secrets in PropertiesService.getUserProperties()?

I am developing a Google Workspace Addon (standalone script) which will make REST API calls to external service and for that purpose it needs to provide an API key.
I request the API key input from a user and then store it in PropertiesService in the following way:
function onSheets(e) {
const userProperties = PropertiesService.getUserProperties();
const saved_api_key = userProperties.getProperty('api_key');
const api_key: string = saved_api_key ? saved_api_key : "";
const builder = CardService.newCardBuilder();
const apiKeyInput = CardService.newTextInput().setTitle('API Key')
.setFieldName('api_key')
.setHint('Enter your API Key')
.setValue(api_key);
const saveApiKey = CardService.newAction().setFunctionName('saveApiKeyFn');
const button = CardService.newTextButton().setText('Save').setOnClickAction(saveApiKey);
const optionsSection = CardService.newCardSection()
.addWidget(apiKeyInput)
.addWidget(button)
builder.addSection(optionsSection);
return builder.build();
}
function saveApiKeyFn(e) {
const api_key = e.formInput.api_key;
const userProperties = PropertiesService.getUserProperties();
userProperties.setProperty('api_key', api_key);
return CardService.newActionResponseBuilder()
.setNotification(CardService.newNotification()
.setText("API Key saved"))
.build();
}
Since userProperties are scoped to a current user it seems fine. But I have serveral problems with this solution:
Is this really safe? I mean it is stored in plain text so maybe there are ways to retrive it by other mailcious user?
The idea that by mistake I would use getScriptProperties() and thus leak one user's API key to all other users gives me nightmares. It is highly sensitive API key. It would cost a user tons of money if abused.
I read that some user's suggest https://cloud.google.com/secret-manager but I am not sure it's fit for this particular scenario. It would require one more external API call. It is not free. And lastly from what I underestand I would be sort of an owner of all of these secrets since I will be the owner of the Google Cloud project in which this API runs.
All I want is for the users to be able to store their keys safely, so that no one else including me can never access them.
What would you suggest? Thanks!
Is this really safe? I mean it is stored in plain text so maybe there are ways to retrive it by other mailcious user?
Security is relative. There's no such thing as absolute secrecy. Here are some attack scenarios:
Google employees or support may have unrestricted access
If a particular user installed a trigger, that trigger runs as that user and other users, if they can trigger the script and have edit access to the script, will be able to access the keys. A common scenario would be a installed edit trigger in a sheet. User B can access user A, if he can make a edit as well as edit the script. As mentioned in the comments by doubleunary, this is less of a problem in a published add on, as the source code is not accessible or editable.
Encrypting keys is a possibility. But, where would you store the decrypting key? You could ask every user to have a custom password for decrypting the key. But how many times are you going to make a API call? Would they have to enter the key every time? At what point does convenience overtake the need for secrecy?
The idea that by mistake I would use getScriptProperties() and thus leak one user's API key to all other users gives me nightmares. It is highly sensitive API key. It would cost a user tons of money if abused.
That is a possibility, but one that's easily avoidable by careful code review by yourself and your peers.
Those are the scenarios I could think of.
Related:
Securely Storing API Secrets used in Google Apps Script - Published Library

Microsoft Graph Toolkit no have result match for some of the Azure AD users

Recently found some weird case when trying to use mgt people picker to search my tenancy Azure AD user with below tag.
<mgt-people-picker type="any" transitive-search="true"></mgt-people-picker>
Following is summary of info used:
a) Single tenant, does not allowed personal Microsoft account.
b) All API permission requires are granted in application and in app registration.
"User.Read",
"User.ReadBasic.All",
"People.Read",
"People.Read.All",
"Contacts.Read",
"Directory.Read.All",
"User.Read.All",
"Member.Read.Hidden",
"Domain.Read.All",
"User.ReadWrite.All",
"APIConnectors.Read.All"
c) admin consent is given.
d) I'm using api/proxy to connect.
Somehow, I only can found some of the users, some of the users was not found. From mgt people picker UI, i just enter three to four character or full email address to search it but the return result is not correct. And i found that when it return incorrect result it have error on retrieving photo values. Sample error as below
I have tried to use Graph Explorer to test it. Apparently, it is also cannot return the correct result match. But only using following query test, it is able to return the correct user to me. but when using mgt people picker, it cannot. Any advise are much appreciated. I'm just guessing it is something related to Azure AD user profile settings or it is something related to my application configuration or something else. Hope can some clues for me to resolve this issue. For your information, I have all admin rights to access all resources in my organization Azure environment. If there is information that I have missing, please do let me know, I will edit the post to include it.
https://graph.microsoft.com/v1.0/users/<email address>
Test result by using Graph Explorer as reference, which only return partial only (majority not return):
In order to fix this issue that /me/people endpoint does not able to show relevant search result. I have did following code changes in my api/proxy to intercepting the process before sending the request to MS Graph as below. This maybe is a workaround to make it works. In future, if there is better option, I will make a change on it.
Hope this can help someone who faced the same issue as I'm.
var url = $"{GetBaseUrlWithoutVersion(_graphClient)}/{all}{qs.ToUriComponent()}";
if(url.StartsWith("https://graph.microsoft.com/v1.0/me/people?$search="))
{
string url2 = #"https://graph.microsoft.com/v1.0/users?$count=true&$filter=startsWith(displayname,%27{0}%27) or startsWith(userPrincipalName,%27{1}%27)";
Uri searchUri = new Uri(url);
string paramSearch = HttpUtility.ParseQueryString(searchUri.Query).Get("$search").Replace('"', ' ').Trim();
//we do not want to search for any email address, just for custom search only
if(!string.IsNullOrEmpty(paramSearch) && !paramSearch.Contains("#xxx"))
{
url = string.Format(url2, paramSearch, paramSearch);
}
}

Is there an anonymous ID in Actions on Google with Dialogflow?

Is there an anonymous ID in Actions on Google with Dialogflow that I can access using DialogFlow in Node.js?
I don't need to know the Google account of who is using the Action, but I do want to have a unique identifier so that the Action can know when they come back.
Google no longer provides one for you. You will have to generate one when a new user interacts with your webhook and store the generated id in their user storage object.
To identify a new user your just check if they already have an id in their user storage object. For generating the id you can use an library like uuid. https://www.npmjs.com/package/uuid
Uuidv4 is probably the one that you need if you just need a unique id for simple identifications
The original idea from Google was to leverage a field called userStorage, but this feature seems to be borked ATM.
userStorage Documentation:
https://developers.google.com/actions/assistant/save-data
Reddit thread regarding issues:
https://www.reddit.com/r/GoogleAssistantDev/comments/d88z7e/userstorage_saga_continued/
Unless something has changed (I haven't checked on userStorage since I've been busy writing a fix around it) you may be out of luck without Account Linking. Feel free to try userStorage and keep me honest as they may have remedied the situation internally.
Alternatively, if all you need is an identifier or session for a single conversation you can leverage the conversationId which will be unique until the conversation ends.
I've found a possible option...
(When working in DialogFlow in Node.js, most code is in a handler and the parameter is usually called conv. The following assumes that it is inside such a handler.)
On every single call, check for an 'existing' id in the session data and the user storage:
var id = conv.data.MyId || conv.user.storage.MyId || '';
if(!id) {
id = /* make a new Id for this user... a GUID or some other unique id */
conv.user.storage.MyId = id;
}
Once I get the Id from storage or make a new one, it is critical to reassign it to conv.data, since conv.user.storage seems to be reliably provided only on the first call!
// IMPORTANT
conv.data.MyId = id;
/* use the Id as needed */
My code looks up the Id in a firebase database to get details from their last visit.
This seems to be working, but may not be reliable.

Authenticating a REST request in an Excel Add-in

I am trying to develop an add-in for Excel with the goal that it will create calendar events based on data inside a spreadsheet.
I can do almost everything that I want except use the REST API to build the events in the calendar and I can't exactly figure out where I went wrong.
I have followed the documentation suggested by #MarcLaFleur.
I can build and run the application no problem, but when I click on the 'Get my files from OneDrive' button, I get the following:
Code: 5001
Message: An internal error has occurred.
name: Internal Error
This is coming from the program.js file in the public directory somewhere in the else clause of this function.
function getDataWithoutAuthChallenge() {
Office.context.auth.getAccessTokenAsync({ forceConsent: false },
function (result) {
if (result.status === "succeeded") {
// TODO1: Use the access token to get Microsoft Graph data.
accessToken = result.value;
getData("/api/onedriveitems", accessToken);
}
else {
console.log("Code: " + result.error.code);
console.log("Message: " + result.error.message);
console.log("name: " + result.error.name);
document.getElementById("getGraphAccessTokenButton").disabled = true;
}
});
}
Here are the scopes in my manifest.xml
...
<WebApplicationInfo>
<Id>c931b396-7 ... </Id>
<Resource>api://localhost:3000/c931b396-7 ... </Resource>
<Scopes>
<Scope>files.read.all</Scope>
<Scope>profile</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
And here are the scopes on apps.dev.microsoft.com:
If you can shed any light for me, it would really help me out.
5001 can be caused by not requesting profile scope. You need to request the profile scope in addition to Calendar.ReadWrite. You do this when you register the app, as well as in the manifest. For more information, see the articles that Marc LaFleur linked to.
The 5001 error often suggests something fundamentally wrong with the add-in API in Office. For example, your Office app doesn't support the API, the manifest is incorrect, or the version of office.js doesn't work with it. Since you're using the sample, two things come to mind:
You aren't running the latest Insiders
build
The wrong manifest is getting loaded (this sometimes happens if you're
on Windows and using a version of Visual Studio 2017 that has old
schema files, so you have to do a post-build clean up of the debug
Manifest XML)
Your manifest and Azure registration look mostly good, though Rick's comment about Scopes is relevant. profile must work with openid as a pair (profile alone won't work; openid alone won't work), and as discussed you need this consented. As the developer, you can try consenting for yourself at the protocol level. You’ll want to update the client_id, redirect_uri, and scope query parameters as appropriate, and add &prompt=consent.
To answer a later question, Excel and Mail add-ins are different, and my answer only applies to Excel. For Outlook there's a different sample.
The documentation can be found at Enable single sign-on for Office Add-ins. There is also walk though for both ASP.NET and Node.js as well documentation on Troubleshooting.
There are a number of things that could be going wrong here but without knowing more about your registration it is difficult to determine. That said, here are a couple of common mistakes:
You'll need to make sure you receive Admin Consent for the tenant you're developing against. This is only a dev requirement and won't be required once your publish to the Store.
Make sure you've pre-authorized the correct applications. You'll need pre-authorizations for:
d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office Online)
bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Office Online)
Make sure the scopes you're defining in your manifest.xml are reflected in the app registration at apps.dev.microsoft.com.
If you make changes to your permission scopes, you need to make sure you repeat the Admin Consent process. When you receive consent, they are consenting to the scopes that were registered at the time of consent rather than the App ID itself.

How to get Correct Subscription key for microsoft Face API for Nodejs?

I am using project-oxford inorder to use Microsoft API with nodejs. I am keep on getting error that ,
{"code":"Unspecified","message":"Access denied due to invalid subscription key. Make sure you are subscribed to an API you are trying to call and provide the right key."}
{"code":"Unspecified","message":"Access denied due to invalid subscription key. Make sure you are subscribed to an API you are trying to call and provide the right key."}
I have also regenerated my subscription key for my microsoft account and tried to access the code. Still I am getting the same issue. Spent lot of time to find my bug fixed, But I couldn't able to solve.
This is my nodejs code,
var oxford = require('project-oxford'),
client = new oxford.Client({SubscriptionKey});
client.video.trackFace({
url: path,
}).then(function (response) {
console.log('Response ' + JSON.stringify(response));
},function (error) {
console.log("Error"+JSON.stringify(error));
});
Please guide me to fix this issue.Thanks in Advance!!
You can obtain a key via the Microsoft Cognitive Services web site.
From what I can gather, you are using https://github.com/felixrieseberg/project-oxford, is that correct?
It seems that project requires one subscription key, which then is used for all API calls. I can't see any reasons it shouldn't work, if you have signed up for the subscription key for the Video API.
Given that the library you're using is built the way it is, it seems to me that you will only be able to use one API at the time, doing it the way you're doing it now.
Am I making any sense?
Actually Now I am getting output for the same code excepting that I was not able use the localhost URL [i.e., http://localhost:3000/uploads/img.jpg]. While using the url of webserver only then I am getting the output!!
Can anyone explain me the complete fact. i.e., I need to know whether I cannot use the localhost url. If I use so I am getting the error which I have posted in this question.

Resources