I am working on Microsoft graph API for implementing the Email functionality.
The source code is referred from the official microsoftgraph github account.
I am following the step mentioned here
On this Step I supposed to get a code in redirect URL address.
I suppose to get below url as mentioned in the steps.
https://login.microsoftonline.com/common/oauth2/nativeclient?code={IAQABAAIAAABHh4kmS_aKT5XrjzxRAtHz5S...p7OoAFPmGPqIq-1_bMCAA}&session_state=dd64ce71-4424-494b-8818-be9a99ca0798
instead of that I am getting below url
https://login.microsoftonline.com/a1f1e214-xxxx-xxxx-xxxxxx-xxxxxxxx59641/oauth2/v2.0/authorize?response_type=code&client_id=xxxxxxx-1xxxx-xxxx-ad2a-d80d3f51638a&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&scope=Files.ReadWrite%20openid%20User.Read%20Mail.Send%20Mail.ReadWrite
Note: The Above step is highligted in the documentation
Is this because I dont have check the box checked next to oauth2/nativeclient which is mention at Step 4 Point 8 in the documentation.
Any guidance will be great help
The command line interface opens a browser window on the Azure Active
Directory authorization endpoint. Enter your user name and password to
authenticate. When you are authenticated, you're taken to an
authorization window for the sample app. Review and accept the scopes
requested by the sample app. Click the Ok button on the authorization
window.
When you got that url, you should be asked to login. After that, you will get the code.
The steps:
Register an app on Azure portal->get the client id-> go to Constants.java class and replace the client_id with yours.
Run the PublicClient class.
Login in with your account, then you will get the code.
Related
I have a demo / bogus azure function app that by default is open to anyone. It has a hello world function. Its using "AuthorizationLevel.Anonymous"
So far so good - it's wide open and anyone can call it.
Now I need to ensure that only users within our organization can consume this API. So I followed this tutorial: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
When I try to call my demo function from a browser I get a 401 unauthorized error which is a good thing I guess - that's what I requested when unauthorized users try to hit my API.
From what I've read, I in order to call this API now, I have to pass it a token. But this is where it's not clear to me how / where I get this token.
If I create the new application registration and change the "Unauthenticated requests" from the 401 to 302 option, it correctly redirects me to the Microsoft Login prompt when I try to call my API. I enter my creds and then the function works.
The issue is that the callers of my API will be doing so programmatically and not manually by a person.
So far I've been checked all the related links listed in that tutorial but I haven't found what I'm looking for. Or maybe I missed it.
Any tips would be appreciated. I think I just need to read the right article / doc that will help me understand the big picture for this specific use case.
Thanks.
EDIT 1
In case it helps, here's a screen shot of the output from my integration assistant wizard. I selected "web api" as the type of application I'm trying to build:
From the documentation you posted:
"In the App Service authentication settings section, leave Authentication set to Require authentication and Unauthenticated requests set to HTTP 302 Found redirect: recommended for websites."
If that's set then there's something wrong with the website.
I am trying the Azure ADB2C based on articles and videos. Followed the steps and I have configured the properties for user flows as well. When I click on the Run user flow, it opens up the sign up sign dialog, I add a user with the details. Once the user is added, it goes to my reply url https://jwt.ms.
Based on the url in the browser, I felt it should have worked. But for some reason, the boxes are shown empty.
The url that I see is...
https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..EiDn2BjcA8xTRac1.2pNAFLdcbOupozfuKIC8T9VXmL4zz8iEisf6PsNyxDYzVJcl2vfwwrtMpqJvsC-xeSPyrHUgVpdblKiVfILllrOsWj7MJbTX0QNlzPEAItTGoRow3A2F4FWBR7Y28PQcxeZwa05SMpKhoNutdmnRq-usM7VMc0eYXjJ2JXTSc1piwYf14Na5We9arijagkmVvHFBDLDnjaVBUixEF5_dTGWAjnwAXRIII-plBZBoFZCZ2XtdSLu5LYWSJXBxuA5lqDaVN3OHLOP92VZkNRgB97UPIO3aSe9s44XEEGe5COpTWhzxoOXy53ydnCG8xZwYFKA_J54hGdKLGZrE-BYOW0sU7Dcevq1iwaBqJ3K3CwM6s9o6zCwsAf2pUlAuXYfwk8kA9SKi0fmNiUsSskWhUgiJTPSlqq_woWPGgX3JZpiHTDNbOCA5VUgToEYmDgReOb4M-MeCSCcKWb315vP3UPgzE1LpRet1AFMGqcNznUd8jkP39uaRdLDDP5VAZy7pmeN-GPQJYCcyfdJCRJc1yPoiRYM4SdBUecQTioRkZ95l0y1ANZ3yYSB6eAV_B83KL4EdSIM.e3NVLoGCNXgfloDFbzZimg
Could some one help me understand why the token is not being shown in the browser?
Please Note: The user is created with No issues. its just the reply of token that I see as issue.
Found the cause of the issue.
I had to enable the Implicit grant for both Access tokens and ID Tokens for the app I created.
I've built an API-based integration with DocuSign (using their PHP SDK), and am now at the point of deploying to the production server. I have reconfigured everything with the production integration key, public/private key pair, user and account IDs, endpoint URL, etc. replacing the demo ones. The OAuth portion of the conversation is working fine, and I get a valid token back. When I then try to send an envelope, I hit a USER_LACKS_MEMBERSHIP error, and cannot figure out why. As far as I can see, everything about the API user is the same between the demo and production systems.
I've authorized the application and made sure that it's in the list of "Applications with Access to DocuSign".
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Most of the documentation that I can find on this simply repeats the generic error text: "The UserID does not have a valid membership in this Account." If I go to the account admin and look at the list of users, the one I'm expecting is right there, with DS Admin permission; not sure what else might be done to give them "membership". One mentioned not using SendOnBehalfOf, but I'm not, so I can't really remove that.
All the code is identical, just configuration that's changed. Not sure where else to look. Anybody have any suggestions for what to try?
FURTHER INFORMATION
I've tried the getUserInfo call in the SDK, passing the same access token I use for the other call. It returns successfully, showing that it is for the user I'm expecting, in the one group we have, on the production server. And yet, when I enable logging again, as this same user, there is still zero record in the resulting logs of any of this API activity.
Attempts to do things like list templates with the SDK fail with the same USER_LACKS_MEMBERSHIP error.
Using the Diagnostics API (again, through the SDK) to check logging status shows that it is NOT enabled (despite my enabling it in the UI), but can be enabled with a separate call. Subsequently attempting to use listRequestLogs in the SDK generates a 404 error, though the URL matches what's listed in the API documentation (/v2/diagnostics/request_logs). Not sure whether these findings confirm that I'm somehow logging onto the API and the UI with different users (even though the user name and internal ID match), or that there's some problem with the logging facility in DocuSign.
The problem turns out to be the URL I was using for API calls. I switched from demo.docusign.net in testing to www.docusign.net in live, but being in Canada we need to use ca.docusign.net. For those who find this later, you can get the correct base path to use from the oauth/userinfo endpoint, or the getUserInfo() call through the SDK (PHP SDK, at least; don't know what the analogous call would be in others).
There are 3 things to consider:
API calls are made to an endpoint (URL) that contains the account # (either GUID or short form) in the url. Take a note of that number in the url.
Auth Token is a token for a specific user in a specific account.
UserId for the specific call. That is a specific user in the account.
If the user is not in the account, or there's a mismatch between #1 and #2 - you'll get this error. You must work with a single account and have it in all places as well as the user must be a member of this account.
Re:
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Since the request logging is not showing your API activity, the problem is that the person you've logged in as on the web tool is not the same as the person (user id) that you've logged in as on your application.
Solution for OAuth Authorization Code authentication: double check that when your app is logging into DocuSign, you're using the account.docusign.com authentication server, not the account-d.docusign.com auth server. (Look at the URL in your browser during the login sequence.)
Solution for OAuth JWT authentication: re-check that the impersonated user id is from the production system and you're using the right authentication server
Currently when using instagram access token by the url "https://www.instagram.com/oauth/authorize/?client_id=[id]&redirect_uri=http://localhost:3000&response_type=token&scope=public_content" I have such an error
"This request requires scope=public_content, but this access token is not authorized with this scope. The user must re-authorize your application with scope=public_content to be granted this permissions."
I observed the internet and found that scope query part should be added to the end of API URL. That is how I constructed my url. But as you see it resulted in error.
I tried to find out the reason on app permissions page. There is a button "Start submission". I clicked it and got the list of radio buttons. But when I clicked on " I want to display my Instagram posts on my website." then I got:
You do not need to submit for review for this use case. If you are a developer and you want to display Instagram content on your website, then you do not need to submit your app for review. By using a client in sandbox mode, you can still access the last 20 media of any sandbox user that grants you permission.
So I finally got lost. Looks like the solution is pretty simple because in instafeed.js plugin no more information is provided. But I can not resolve it by myself.
change your scope to basic should work.
The link has 'public_content'
https://www.instagram.com/oauth/authorize/?client_id=&redirect_uri=http://localhost:5000&response_type=token&scope=basic
I tried inbuilt variable "user" methods, $user.name and $user.email in text response of API.AI, to greet user and show email-Id. Is there any inbuilt variable name user?
Example(User sign-up with Gmail),
Response-Code, I had tried in API.AI's text-response dialog box:
Hi, $user.firstname
This is your $user.email
Expected:
User: Hi!
My-Assistant-App: Hi, Varun.
User: Show my email-id
My-Assistant-App: This is your ******#gmail.com
Output, I am getting in the My-Assistant-App:
User: Hi!
My-Assistant-app: Hi, $user.firstname
User: Show my email-id
My-Assistant-App: This is your $user.email
There is no built in parameter user.
Even if there was such a built-in parameter, it wouldn't expose the email address automatically (and probably not the name, either).
Since you are using Actions on Google, you can use it to get user information such as the user's name, but this will require using Fulfillment through a webservice. See How to fetch device location using API AI? for more information about this (name and location are two things you can request permission for).
The email address, however, is not something you can request in this way. To do this, you'll probably have to go through account linking to link it to a Google identity. See How to authenticate user with just a Google account on Actions on Google? for further info as well.
There is no built-in variable 'user'. If you want such functionality, then you need to enable account linking. Use the access_token returned and use it to fetch name, email or anything.
I am able to make it work after a long time.
We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs
If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first.
Then follow the steps mentioned below for the Account Linking in actions on google:-
Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token
3. Save and run
4. It will show an error while running on the google assistant, but dont worry
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])
Since the original question was asked, there are now ways to get this information - with some caveats.
You can now use Google Sign In for Assistant to get profile information such as their Google ID and Name. If they have permitted their email address in the profile, this is included as well.
If you are using the actions-on-google library, this will be available in your Intent Handler in conv.user.profile.payload. If that isn't set, you can request it by using the Sign-In Helper to request it.
If you are using multivocal, you can set User/IsAuthenticated as a requirement and the information will be available in the environment under User/Profile.
In either case, the user will have to grant you permission to get the information the first time. After that, this information should be available for all subsequent requests.