I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.
Related
I am using Azure AD B2C as my authentication.
We are currently building an SPA and have API Management as a backend API.
And I have access to API Management with an access token issued by B2C.
Here, we want to use user information in the SPA, so we are considering using the MsGraph API.
At this time, we also need an access token to access MsGraph. Can we use the same access token for MsGraph and APIM?
Can I use the same access token for MsGraph and APIM, or do I need to save both MsGraph and APIM access tokens?
If each access token is required, is a refresh token also required for each API?
You will need to get multiple tokens in AAD to access different resources. You can use a refresh token from one resource to request an access token for a second resource. I am guessing that you want to minimize access token refresh for multiple resources, so use the refresh token from one resource to get new access tokens from both.
https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
I have an secured API student API which I am able to access via OAuth2.0 client credentials flow which creates an access token using IConfidentialClientApplication app and accesses secured app.
Now comes to access the secured API using OAuth 2.0 Resource Owner Password credentials. I have mostly used the code in microsoft github page.
https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2
I am able to sign in using username and password, able to generate access token as well. But this access token is not able to access my secured student API. Though the sample code is able to access the Microsoft graph API, it is not able to access my secured API.
I tried to allow public client flow for my secured student API as well and decrypted both the access tokens to see the difference. There is a lot of difference. What I noticed here is in ROPC flow are using IPublicClientApplication where I am not able to give the ResourceId while acquiring token. So "aud" is different in ROPC token and other fields as well.
Can anyone tell where I may be going wrong or how to fix the above scenario?
I think you may need to perform these 2 steps to get a token valid for your own API:
Expose an API scope in your Azure AD API Configuration
Add an API permission in your Azure AD Password Client Configuration
See step 6 of my Azure AD Blog Post for how this looks. The article also explains some token differences.
I want to create an Azure Web Application that can authenticate an external/internal (from any Organization) user upon opening the Web Application link through Azure AD Credentials and acquire its Access token in return.
I want to use that Access Token to programmatically create an application registration in User's tenant.
First, you need to register an application and set it as a multi-tenant application, then use the auth code flow to authenticate the user and obtain an access token.
Next, you need to use the access token to call the MS graph api to create an application, because you are using the auth code flow to obtain the token, so you need to grant delegation permissions to the application.
see: sample.
We are providing a web api that is protected with Azure OAuth 2.0.
Our affilates will use this api and they each will get a clientid/client.
1) In the linked scenario. Why would there be need for a refresh-token?
if the token expires their (web)application would just send for a new token using their clientid and sclient secret?
2)
We have 100+ affiliates. Almost all of them will have same permissons, but we still want to give everyone a unique clientid/secret. How do we practically do this? Is manually in azure web portal the only way?
Azure Oauth - how to change token expiration time?
1) In the linked scenario. Why would there be need for a refresh-token? if the token expires their (web)application would just send for a new token using their clientid and sclient secret?
Refresh tokens are used if the client makes a delegated call to your API.
In this case the token will contain the currently logged in user's info as well.
The client can use the refresh token to get a new access token for your API for a specific user when the access token expires (instead of redirecting them to login again to get an authorization code etc.)
If they call your API purely using client credentials (id + secret) then there will not be a refresh token.
2) We have 100+ affiliates. Almost all of them will have same permissons, but we still want to give everyone a unique clientid/secret. How do we practically do this? Is manually in azure web portal the only way?
To get a unique client id for each affiliate, you must create a new app registration for each of them.
You can automate this process by creating the Application and Service Principal via one of the Graph APIs (Azure AD Graph or MS Graph):
AAD Graph: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity
MS Graph: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_applications
Note the MS Graph endpoints for applications are still in beta and not recommended for production use.
This is one of the very few cases where Azure AD Graph API is the supported case.
You will need to create an Application for each affiliate (remember to create the passwordCredential (secret) as well),
then create a Service Principal based on the Application,
and then grant the Service Principal rights to your API.
If these are application permissions, you will have to create appRoleAssignments.
I am trying to revoke a refresh token so that it cannot be used any further to obtain more access tokens via oauth2.
I am using simple-oauth2 nodejs library that wraps the requests to obtain access and refresh tokens. Once I have these tokens, I can use the access token to make graph.microsoft.com calls. When the token expires, I can obtain a new one. This library has a .revoke() method that takes a revoke url. I specify this as http://login.microsoft.com/common/oauth2/v2.0/logout
but the refresh token is still valid.
According to https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
The Azure Active Directory: "An administrator can apply conditional access policies which restrict access to the resource the user is trying to access."
Is it possible to revoke using oauth2 request? I see this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
which shows the oauth2 logout url /common/oauth2/v2.0/logout.
Azure Active Directory does not support or provide an endpoint for an application to revoke the refresh tokens. The recommended approach is to clear the token cache on logout to prevent the re-use of the token.
A similar post is here: Revoke a refresh token on Azure AD B2C
You can read more about the policies on token lifetimes of refresh tokens here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes