I need to check if I can use the Live Video API from my local runtime (like nodejs for example) to post live videos on my page, using a long-lived access token to my page.
Whether I generate a user or page token, with Graph Explorer App ID or my own App ID, and required permissions (publish_action for my personal profile, publish_pages and manage_pages for my page), all my calls are rejected with an error:
"(#100) No permission to perform current operation."
I thought I had to create my own App and submit it for review with required items (publish_pages, manage_pages, Live Video API) but someone from the Developper Community told me that as my app is not public-facing, I couldn't get it reviewed and I shouldn't even create an App.
I also read somewhere that my page had to be whitelisted but I didn't find how to do it.
How can I use the Live Video API from a local application?
Thanks.
Best regards,
Nicolas
Using the Graph Explorer App to generate the token will make my API calls fail because I'm not the admin or a developer of the app.
So I need my own app to use the Live Video API but I don't have to submit it for review as long as I make API calls on behalf of an admin, developer, testers.
Following this documentation: Graph API Reference, using the API, I was able to post live videos on my user ID, with a (admin) user access token.
But on my page ID, using a (admin) page access token, I'm getting this error:
"(#100) No permission to perform current operation."
Related
Introduction
Recently I got hired to build out a new project that requires microsoft login to enable users from Azure AD / Microsoft 365 to be able to login in to a website that has the backbone of Strapi / a Headless CMS. See the below reference screenshot for the architecture that I have in mind.
I followed a few tutorials to integrate the oAuth flow “microsoft” explained in this tutorial and while this works fine, I need a more complete solution. (this is related to Strapi but could be any oAuth integration for a headless CMS)
The Strapi Microsoft provider only creates a user in the Strapi backend but completely ignores the returned data such as access_tokens and refresh_tokens that are mandatory to be used to parse the microsoft api’s. While this is fine if you are planning to continue with the user jwt that is generated / provided by Strapi, this but isn’t the case in my project.
Requirements System
A user should be able to login to Strapi backend with his microsoft account from a front-end website
The logged in user in the front-end should be able to get information from the microsoft graph api to get metadata of the user such as profile photo, tenant_id / group_ids, phone numbers and so forth.
The logged in user in the front-end should be able to query Strapi collection types as usual
The access_token returned by Strapi does not contain a refresh token out of the box because it uses the oauth grant flow on machine level which does not return the refresh token according to the docs.
Storing the access_token in localstorage is due to security risks not an option.
The access_token should periodically be refresh because access tokens are invalidated every 60 minutes by Azure AD.
Research done
After a little search on the web I found a library officially supported by Microsoft called MSAL
MSAL provides the tools to be able to login to microsoft AD in a react app with wrapper functions that redirect to microsoft online to login and save access_tokens etc in a secure session storage.
Unfortunately when logging on the front react app we don’t have a token to validate requests to Strapi, because we simply didn’t login to Strapi /api/connect/microsoft if we would use the MSAL library. So this is also not an option I guess.
Desired solution
We would like to be able to login to Strapi / Headless CMS via a button in the front-end and upon a success login a strapi user should be created that can execute requests on behalve of the JWT token given by Strapi, but also has the opportunity to execute requests to the external microsoft Graph API to gather meta data such as profile photo etc which are not stored in Strapi by default.
Storing the access_token in the database might be a solution but also security wise this may not be the best solution.
Lastly, the whole thing should be super secure and should automatically refresh the access token every 60 minutes. (Since the token life span of the token provided by Azure AD is 3500 seconds)
Help, tips and feedback is highly appreciated. Thanks in advance!
Cheers,
Kiwi Coder
Ive been researching the MS Graph API lately, and I'm running into a problem. My use case is that I want to read a certain mailbox's mail, and send mail for that mailbox. The mailbox is a non user related box, and is used as a service account for emails.
Ive found 2 possible flows for getting into that mailbox. The user authenticated flow, and the application (and admin consented) flow. For the application, I want to read the emails in the background in a NodeJS app, without user interaction.
When I look into the user consented flow, I find that to make it work the user HAS to log in atleast once, by hand, and consent to some stuff I want to do. I found this page, on how this works, and made it work in my NodeJS app. The problem is, when using this flow, I have to login BY HAND atleast once after starting my NodeJS app. Afterwards I can use the refresh token to refresh the access token, but I dont want to do the login by hand.
The second option, and most suitable option for my NodeJS app, is the application flow. I found this tutorial on how to do that, and I made it all work. I fetch a token, and that token grants me access to the box via the Graph API.
But using the application flow, I found that I have to have the roles (i.e.): "User.ReadAll, Mail.Read, Mail.Send". This gives my application rights to read and send mail FOR ALL users in the account.. Which is WAY too much overkill for my situation.
Now my question; Is there a way for me to use MS Graph, with the application authentication flow, but without having access to all users' mailboxes, only to my specific account I want to read?
Thanks in advance,
Caspar
While linking the documentation reference, I saw that I read over the most important footnote:
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.
So it is possible using the application access policies.
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.
I would like to create a website which will allow users to input a YouTube URL, and will then generate statistics on the video or channel.
I have researched on the YouTube Analytics API, however I am encountering errors after following the https://developers.google.com/youtube/analytics/v1/sample-application. I am being given a "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup." Error.
What I am after is an easy way to GET HTTP url requests, which will provide me with basic analytics (details which are public, such as likes, views etc.) So I could just execute this GET Request on the YouTube URL which is entered.
Any help would be greatly appreciated.
sounds like you need to follow the instructions and register your app
from https://developers.google.com/youtube/v3/
Register your application with Google so that it can submit API requests.
this page has the details
https://developers.google.com/youtube/registering_an_application
Obtaining authorization credentials
Your application must have authorization credentials to be able to use the YouTube Data API. This document describes the different types
of authorization credentials that the Google Developers Console
supports. It also explains how to find or create authorization
credentials for your project.
Create your project and select API services
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the list of APIs, make sure the status is ON for the YouTube Data API v3.
In the sidebar on the left, select Credentials.
The API supports two types of credentials. Create whichever credentials are appropriate for your project:
OAuth 2.0: Your application must send an OAuth 2.0 token with any request that accesses private user data. Your application sends a
client ID and, possibly, a client secret to obtain a token. You can
generate OAuth 2.0 credentials for web applications, service accounts,
or installed applications.
Learn more
API keys: A request that does not provide an OAuth 2.0 token must send an API key. The key identifies your project and provides API
access, quota, and reports.
If the key type you need does not already exist, create an API key by selecting Create New Key and then selecting the appropriate key
type. Then enter the additional data required for that key type.
I am uploading photos to Flickr in .NET project using Flickr.NET API Library (Flickr.NET CodePlex Link). Its working perfect. But for every request, Flickr asks my permission to authorize the app (check screenshot below):
My question: is there any way I authorize the app once for my whole life rather it asks for my permission for each photo to upload?
Once you have exchanged your request token for an access token, you can store the access token in your application's persistent memory and use the access token to make subsequent requests.