I have tried to create a Microsoft team API to create an online meeting. I have created an app register in azure with clientId and tenantId. I added permission with the delegate, and in other times in public as a trial as I know delegate is the correct and then create secret, and I tested it in Microsoft explorer it works perfectly now I tried to work with it in c# code I got token. However, I noticed that the token is different from Microsoft explorer, so I got an error in creating event access denied as the token does not have permission.
The second question can I generate a unique link for the meeting for each attendance.
The error I'm receiving is
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-03T13:05:33",
"request-id": "cc2dbedc-610e-4d95-a30d-672ff241efa4",
"client-request-id": "cc2dbedc-610e-4d95-a30d-672ff241efa4"
}
}
}
This is happening because Security Defaults is enabled for your tenant.
For each request made to the API, the token changes so the token received in graph explorer will be different from the token received via Code.
Check and try with Auth Request for token and pass the token received to the online meeting API
Related
I would like to use the managed identity of a Azure Functions app to authorize for a connection to a web app with some api methods.
The functions app and web app are both in Azure in the same tenant. The web app has app service authentication enabled and I can access the API using my personal Azure AD account. No roles have been defined.
I was using this guide to get a OAUTH token but have not yet succeeded authorizing the Functions App. As in the sample of this blog post I have been trying to use the web app url to set the context for the token request:
var context = new TokenRequestContext(new string[] { "https://your-integrationapi-url.azurewebsites.net/.default" });
This context url does not seem to work and I was able to get a token after adding a scope in the “Expose an API” menu in authentication settings in the Azure Portal. The scope url looks like “api://00000000-0000-0000-0000-000000000000”.
When I use this token in an authorization header the functions app tries to authenticate but gets an access denied error.
I have tried several ways to get a token using the DefaultAzureCredential, ManagedIdentityCredential and combined using the ChainedTokenCredential. Either way a token is received successfully but I doesn’t seem to be ok for authorization in my API.
I would like to know how to get this to work properly.
I have been trying to add a role and assigning it to the managed identity of the functions app using this guide but can’t get the powershell script to work either. This script fails with the following error:
Message: Entitlement with id: 61cc2c03-4625-4298-99d1-b09f13ea7fa1 does not exist on resource application e690e51c-6f21-4795-8450-04ebba17d60e.
But a role with the id is available in the manifest:
"appRoles": [
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "Can access settings API",
"displayName": "Use settings API",
"id": "61cc2c03-4625-4298-99d1-b09f13ea7fa1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Settings.Update"
}
],
I am not really sure if adding roles is a necessity. For now it’s ok that all identities in the tenant can access the API methods.
I have an Azure app service and enabled System assigned identity.
And exposed API , with scope api://<clientId>/<scopename>.
Then requested the token with scope api://<clientId>/.default
When decoded the received token,
If you observe issuer value , “iss” does not have V1 endpoint and aud value is like api://<clientId> , It must equal to the ClientId or appId URI.
So , it depends on what your API is expecting.
So in allowed audiences give both App Id Uri api://<clientId> and ClientId .
Also as issuer value has V1 endpoint, try to change the manifest , the manifest value to null or 1 ,if it is 2 , else change to 2.
Make sure to expose api with scope to your API:
And make sure it is granted admin consent.
Trying to run a basic Azure AD B2C authentication from a Native App. I followed the WPF App registration guidance, and am using extract from the code provided in the Git Hub example.
Using the Microsoft.Identity.Client SDK, when I run await app.AcquireTokenInteractive(App.ApiScopes).ExecuteAsync();, I get the following exception:
Microsoft.Identity.Client.MsalClientException: 'The browser based authentication dialog failed to complete. Reason: The server has not found anything matching the requested URI (Uniform Resource Identifier).'
I run this from an test with NUnit.net
I did the following tries and checks:
Tried the recommended URI: https://mytenanturl.com.b2clogin.com/oauth2/nativeclient
Tried a custom URI such as https://mytenanturl.com/test/auth/nativeclient
Tried a custom URI such as uri://mytenanturl.com/test/auth/nativeclient
Tried one of the 3 URIs pre-registered by default on Azure: https://login.microsoftonline.com/common/oauth2/nativeclient
Tried with a local URI such as https://127.0.0.1/dev/
These URIs are all registered on the Azure Portal / App Registration / Authentication, with Platform Configuration set to Mobile and desktop applications
In the App Regsitration Manifest, it says
"replyUrlsWithType": [
{
"url": "https://127.0.0.1/dev",
"type": "InstalledClient"
},
{
"url": "https://login.microsoftonline.com/common/oauth2/nativeclient",
"type": "InstalledClient"
}, etc,
When I inspect the IPublicClientApplication object, I can see the URI correctly inclued within .AppConfig.RedirectUri. However, PublicClientApplication.RedirectUri says it is Null. I am confused beause I cannot even understand where this property is comming from, since it does not appear in the documentation, where PublicClientApplication Class or its parent classes have no RedirectUri property.
What am I doing wrong?
The sample provided in the Ms Documentation shows the client builder invoking .WithB2CAuthority(AuthoritySignUpSignIn), which is not correct.
The QuickStart blade in the Azure AD App Registration page shows to use WithAuthority(AzureCloudInstance.AzurePublic, Tenant) where Tenant can be companyurl.com or the Directory (tenant) Id provided on the overview page of the App Registration.
Getting Unauthorize-401 Error.
I am working on QuickBooks Integration module .Everything working fine few days back on sandbox-US-company.
Today I created new separate account for sandbox for testing purpose.
For Older Account, Everything is going perfect .But for newly created account Unauthorize-401 issue is coming.
The steps I gone through follow, today:
1. Created account in developer.intuit.com/
2. Under My App, Created new app for Accounting.
3. Under Sandbox, Added US Company.
4. From My Project, Hosted at my localhost .Done OAuth process to collect Access Token and Access Token Secret.
5. Now when I tried to get the list of Customer or (Other intuit object), Getting Unauthorize-401 Error.
Entire system of my project is perfectly working on the sandbox company created earlier.
But for the today configured company, Unauthorize-401 Error is company.
Multiple links i Gone through ,But did't get rid of the issue facing, follows:
Getting “Unauthorized-401” Error in .NET while accessing quickBooks
data through Intuit API
How to fix Unauthorized-401 error
Unauthorized 401
In Advance, I thanks for getting me out from this issue.
CODE :
To Collect the DataService :
private DataService GetDataService()
{
try
{
string accessToken = AppSessions.QBAccessToken,
accessTokenSecret = AppSessions.QBAccessTokenSecret
, consumerKey = AppSessions.QBConsumerKey, consumerSecret = AppSessions.QBConsumerSecret
, realmId = AppSessions.QBCompanyCode;
OAuthRequestValidator oauthValidator = new OAuthRequestValidator(accessToken, accessTokenSecret, consumerKey, consumerSecret);
var serviceType = IntuitServicesType.QBO;
var validator = new OAuthRequestValidator(accessToken, accessTokenSecret, consumerKey, consumerSecret);
var context = new ServiceContext(realmId, serviceType, validator);
context.IppConfiguration.BaseUrl.Qbo = AppSessions.IppConfigBaseURL;// "https://sandbox-quickbooks.api.intuit.com/";
return new DataService(context);
}
catch (Exception ex)
{
return null;
}
}
To Get the Customer List from Sandbox US Company :
public List<Customer> GetCustomer()
{
return service.FindAll(new NSQB.Customer(), StartPosition, MaxResult).ToList<NSQB.Customer>();
}
NOTE :
I am using AppSessions static Class to Manage Session .
NSQB is alias for namespace used for QuickBook , i.e.
using NSQB =
Intuit.Ipp.Data;
I discussed with Intuit Team .Quick-book System was in the Maintenance .
One of the response I Had over email by Quick-Books Team:
We had an outage today. Please retry. Do remember to change your base
url to sandbox if you changed your prod keys to dev keys for testing
with sandbox.
Outages cause 401 errors.
Maintenance Link they share about their Status Management.
Issue Still Exists !!
Your code looks fine; when there is a 401 error from QuickBooks Online, there can be two reasons:
The access token is invalid;
The sandbox server is having a problem.
What most developers didn't know is, when there is an outrage on sandbox server, the access token will be reset. It will result a previous working access token become invalid, i.e., the 401 error.
Here below are some steps I found very helpful when you see a 401 error:
Go to Intuit's status page: http://status.developer.intuit.com/ and see if there is any issue with Sandbox server
If you believe the sandbox is not available, go to API explorer: https://developer.intuit.com/v2/apiexplorer?apiname=V3QBO#?id=Account and see if it worked
Try POSTMAN(or simple cUrl), adding the access token, access secrets, consumer secrets and consumer key and make a sample call to see if it can goes through(make sure it is pointing to the sandbox url).
If it didn't go through, and a 401 status code is returned, regenerate the access tokens. The best way to do it for sandbox is using the OAuth Playground. In the dashboard in your app, there is a link called "Test with OAuth Playground and OpenID Playground". Click on the OAuth Playground, change the access token duration from 120 to 15552000 and complete the OAuth flow. Now a new token will be available for you to test.
If neither above works, create a ticket for intuit QuickBooks Online team.
I am trying to use Double Click for Advertisers API (DFA). I've explored the "Try it" and tested the Api through google developers console and it works as expected. I was able to catch the Authorization token and perform get and post requests(via browser and programmatically).
However when I try to do exactly the same, programmatically using the donet api 2.4, the Authentication Token that is generated doesn't allow me to do any requests, it always returns HTTP 400 Bad Request with the reason Invalid ProfileID.
I'm not sure if the client_secrets.json are correct, but I've created it using the same email account that has access to the reports.
{
"installed": {
"client_id": "<client_id>.apps.googleusercontent.com",
"project_id": "<project_id>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "<secret>",
"redirect_uris": [ "urn:ietf:wg:oauth:2.0:oob", "http://localhost" ]
}
}
I used the credentials code below:
private static readonly IEnumerable<string> scopes = new[] {
DfareportingService.Scope.Dfareporting,
DfareportingService.Scope.Dfatrafficking
};
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
scopes,
"dfa-user", CancellationToken.None,
new FileDataStore("DfaReporting.Samples")).Result;
The generated token gives me the following info:
{
"issued_to": "<client_id>.apps.googleusercontent.com",
"audience": "<client_id>.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/dfareporting https://www.googleapis.com/auth/dfatrafficking",
"expires_in": 3073,
"access_type": "offline"
}
The libraries I mentioned above are available on GitHub: https://github.com/googleads/googleads-dfa-reporting-samples/tree/master/dotnet/v2.4
What am I missing?
First make sure that you have set this up correctly.
You must have a DCM account. See Advertisers/Agencies for signup information.
Your DCM account must be enabled for API Access. Contact your DoubleClick representative or the DCM support team for assistance. (dcm-support#google.com)
You must have a user profile with access to this account. Have your DCM account administrator create a user profile associated with this account.
It sounds to me that who ever you are trying to use to authenticate doesn't have access to the profile you are trying to request for.
In response to comment:
If you are using the .net client library I don't understand why you would be calling the following request manually as you have commented
https://www.googleapis.com/dfareporting/v2.4/userprofiles?access_token=<access token>
I also don't understand how if you are using the .Net client library and the following request could return invalid profile id when you aren't sending one. It might return no profiles if the user doesn't have access to any.
service.UserProfiles.List().Execute();
This might return invalid profile id if the profile id you send it is well not valid.
service.UserProfiles.Get(profileId).Execute();
Running reports
To be able to run a report the user must have access to the profile and the report. Your error message means that the user doesn't have access to that profile you need to either login with a user that has access or grant the user access.
service.Reports.Run(profileId,reportId).Execute();
I'm attempting to retrieve other users' outlook photos using the Office 365 REST API (Preview). The documentation is here on this page: https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations.
I'm able to successfully retrieve my own photo using an access token by making the following rest call:
GET https://outlook.office365.com/api/beta/me/userphoto/$value
However, when attempting to retrieve the photos of other people in my organization by using this REST call:
GET https://outlook.office365.com/api/beta/Users('{user_id}')/userphotos('{size}')/$value
I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
This error isn't listed anywhere in the documentation as far as I can tell. I suspect this has something to do with the permissions in Azure but that's only a guess. Maybe it isn't supported in the preview API? Anyone have any ideas?
nkorai, you are right, the current permission set does not allow you to see others photo. We are adding a new oauth permission to the exchange online application endpoint which will allow you to do this. We are in the process of getting this permission enabled. Hopefully in a few weeks.