Does anyone know how I can send an email via my webserver (Azure Functions) to gmail?
This is for clients to contact us through a website so it needs to be frictionless and without a challenge.
I have followed this guide
https://developers.google.com/gmail/api/quickstart/dotnet?authuser=1
After creating my own implementation of IDataStore for Azure, I have painfully realised that this will try to challenge via the web browser.
We previously had this working using SMTP using similar method to this
How to send email by using MailKit?
but this requires us to set the 'Allow Un-secure Apps' flag which after a period of time automatically switches off and causes our contact us page to stop working.
I guess this should be possible using an API key which I have created but I can't find any documentation on how to send an email using just the API Key.
Gmail api route using google .net client library.
If you are using a gsuite domain email address then you can use a service account. Let me know if you need some code for this.
Otherwise you will need to run your code once locally authorize it stave the refresh token then set up your Idatastore to use the refresh token that you pass to it. As long as the refresh token is used regularly it shouldnt expire. Thats not saying it cant but it shouldnt it will need to be babysat a little if it fails just generate a new refresh token for it and it will be up and running again.
smtp route
if you want to use smtp your probably going to have to work out Xoauth2 I am not aware of anything out of the box for C# that works with that and the Google .net client library does not work with the smpt server.
Related
does anybody know if it is possible to create an email client app which retrieves mails from a O365 account via MS Graph without registering the app in Azure AD?
I think there must be, because how could email apps like the in-built email on the iphone connect to O365 accounts without this? There, I enter my email adress, password and one time (each 90 days) my token which I received via phone (and what I think is cached somewhere?)
Any hints or tips are highly appreciated.
Thanks in advance.
The client can send some request header showing they are authorized, but if the app (for eg: email app) sends the same request header, it will be rejected unless it's registered.
Thank you Md Farid for the comment, In most cases, Microsoft Graph API also need required permission along with token.
The below document involves manually registering an app with the Azure AD, using OAuth 2.0 On-Behalf-Of flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
I have a web app (rest API) on azure, and I have a B2C setup that is securing it, requiring you to be signed in to access the API. This is good, as i wanted the API to be restricted to members. Basically, the entire web app requires authentication, and will prompt you for a sign in.
Heres the problem - my app has users (who have accounts) and clients (who do not have accounts). These clients might receive an email about a new appointment being set up with one of the users - this email should have one or more links/buttons (ie, a button to Confirm appointment, one to Decline, and one to request a reschdeule) and upon clicking this link I would like to update a field in my database via the rest api, so the USER knows the CLIENT's response. The trouble is, since the client wont have an account, I have no idea how I can give them a link they would be allowed to go to, and have the update happen.
I have tried to do a bunch of research - ive looked into AD external identities with a one time passcode - but i cant seem to find any info on how i would actually get this to work for my purposes.
Does anyone know how I might implement this in azure? Is there a way to call to azure form c# to generate a one time authentication that i can encode into a URL or something?
Any thoughts would be greatly appreciated.
Thanks!
You could do an anonymous authentication by using a magic link. The users account won’t even need to live in the directory. The link can be short lived, and potentially one time use. We call it id_token_hint or a magic link.
Sample here
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
And reference here
https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
Following this github article I am able to authenticate against GMail using OAuth2 and send gmail messages programmatically uisng SMTP and IMAP (clients from MailKit). The link was kindly provided by the author (jstedfast). The problem with the method is that it opens browser popup and requires user to authenticate, at least from time to time. Maybe this is because the method uses "User Secret" and not Service Account and private/public key, but I do not know for sure.
I need to send an email from server-type application, where there is no user to manually push the process forward. So far, the app is using standard SMTP authentication but this requires GMail/GSuite accounts to have "less secure" setting enabled and the customer does not want that.
There is a very old post (also by jstedfast) that shows how to authenticate email client with OAuth2, using Service Account and public/private key. I followed that article to the letter (except that I used json-packaged certificate, instead of p12 and used GMail not GSuite email) but the results are negative. Namely, when I try to execute client.Authenticate(accessToken) the response is exception that reads {"status":"400", "schemes":"Bearer", "scope": "https://mail.google.com/"}
I have access to GSuite and would not mind using it if necessary but, I have not found definite instructions and example that works. Would anyone be able to point at C# example that authenticates with OAuth2 through private/public key encryption and does not require user interaction ?
This is possible with web app type OAuth client ID and manually created refresh token.
How to create correct OAuth client ID and get refresh token: https://stackoverflow.com/a/24123550/6075536
How to send email with MailKit then: https://stackoverflow.com/a/52413127/6075536
And keep in mind Refresh token expiration rules.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial
after I did some research on the subject, I found that Windows Live stopped providing email addresses for a user's contacts through its API. Instead, they provide the email hashes.
I did a little more research, and i found many websites being able to retrieve the contact list for a user and displaying it (with emails, not hashes) but the difference is that i don't think they are using oAuth since to retrieve the emails, the user must provide his email/password.
I need to implement importing a user's contact list on my site and i see no workaround to doing it using oAuth REST requests through Live's API (granted that i was being able to get the access token and make other REST requests).
If not using oAuth, what are other ways of getting a Windows Live/Hotmail contact list?
I ended up using Windows Live ID's Delegated Authentication. Even tho it's deprecated it'll have to do until i find a more effective solution.