Is is possible to login to Microsoft's OneDrive API without having to use a Browser-based OAuth mechanism?
I have a server application in C# that I would like to connect to a OneDrive account and manage files. Every code sample and piece of information I find always requires a browser-based authentication process. Is there way to utilize the Application secure keys or password to bypass this nuisance?
-Jeff
Yes, you can do that with application identity (no user login is needed).
Here are the steps that you have to do in your Azure portal:
Register Application in azure portal
Add required scopes like Files.ReadWrite.All etc..
Generate secrete Key for Identity
Or here is a Shortcut provided by MS Docs, where you can create Client Id and Secret with a single click.
Use Client ID, Tenant Id, Secret Key to authenticate any calls without user login.
Related
I have a Windows service that cycles through four different mailboxes, reads the emails into a CMS system, then deletes the emails. I have been using simple sign-on with IMAP, but apparently Microsoft has deprecated this option and I need to move to Microsoft Identity.
In my corporate environment I cannot use an app account due to security issues, so I have to use user logins.
Can I authenticate to a user using Microsoft Identity headless in a Windows service? I don't want to have to authenticate manually each time the service starts up, plus I am not even sure if I can have 4 Microsoft user accounts active at the same time. Any direction would be appreciated.
I'm assuming you mean the EWS web api.
To use Microsoft oauth you need a azure application registration with the delegated api permission EWS.AccessAsUser.All.
With this setup you can either access the mailbox of a user with the users login token (i.e. either using their username and password or interactive user login) or you can use user impersonation.
To use user impersonation you need a username and password of a user that is allowed to access the mailboxes you need access for.
Another way to go is to setup a azure application registration with a application api permission to EWS.AccessAsUser.All. This allows you access to all mailboxes. I would not recommend this as people may not like the fact you can access any mailbox in an organization.
Following the code examples from the URL above will get you access to only online mailboxes. To support a hybrid setup where the mailbox is either online or on-premise the missing link is to autodiscover the mailbox server URL(so you don't hardcode it to the Exchange online URL). This has been made very simple with autodiscover v2. It's a simple https request where the result is the URL of the exchange server to use.
I would recommend using the user impersonation along with autodiscover v2 for the most secure and most flexible setup.
Currently, I have configured a desktop UWP C# application which users sign into and register using AWS Cognito Users and User Pools. The application also needs to communicate with another 3erd party API which uses a 1 time registration to return an OAuth2.0 access token and a refresh token. The access token expires ~20mins and then refresh token last the life of the request, typically forever until revoked by the user. I would like to store the refresh token so that it can be retrieved when the user signs in and is validated by Cognito. Is it okay to store this access token in the Cognito user attributes when they register or do I need to store it somewhere else? If I do need to store it elsewhere are there any AWS services which are typically used for this?
There is indeed an AWS service for this specific purpose. Its called AWS Secrets Manager.
Benefits;
Default encryption in storage and transit
You can use IAM to manage access control. So you could lock access down to one or two senior developers
You can use IAM for fine grain access control. This means you can lock the Secret down to a specific user and its secured at the storage level
Very simple to integrate with using the SDKs
I have a Dropbox account and I have created/ registered an app in App Console.
Then using the App key/ App secret for the created app and using OAuth process I have stored my access token in my Asp.Net project database table.I could upload/ download/ delete files from my Dropbox account.There are many users in the project and they have individual Dropbox account.
Now my requirement is to store access token for every user in my database without creating an app in Dropbox App Console(https://www.dropbox.com/developers/apps) for every user Dropbox account.
Is there any way to fulfill my requirement?
As you said, your app should only have one app key and secret. Think of the app key is identifying your app, and not any particular user.
The access token is what identifies a user, and you'll need one of those for each user of the app. When a new user starts using your app, you'll need to take them through the OAuth flow to get an access token for that user.
Take a look at Dropbox's OAuth guide to see if that helps.
I have a MVC5 website and WebApi using ASP.Net identity. I have configured the website to use Microsoft Account as an external login.
The Windows Store App will use the WebApi, and the user should have the same identity when using their Microsoft Account from either the website or the app. As users are already logged into their Microsoft Account when using Windows Store App, I don't want them to have to enter their credentials again.
I'm wondering what is a good way for my app to be able to access the WebApi. Can I retrieve the Microsoft Account authentication token and pass that to my website's token endpoint with an authorization code grant in order to retrieve the token for my app to use to access the WebApi? Is there another way?
I want to avoid making changes to my WebApi's Account Controller as this process does not really fit into the MVC part of the website as it does not need to redirect to views, etc. So I plan to extend the Token endpoint with a custom grant type (e.g. exchange), which will return the local token to the consumer. Consumers will send the Token endpoint a request with a grant_type of exchange, my app's client id and secret, the name of the external provider (e.g. MicrosoftAccount), and the access code from the external provider. For example, the app will send a request like this:
http://myhost.com/token?grant_type=exchange&client_id=CLIENTID&client_secret=SECRET&provider=MicrosoftAccount&code=LIVESDKACCESSCODE
I'll provide an implementation of the ApplicationOAuthProvider's GrantCustomExtension method, the pseudo code will be like this
validate the client id and secret
If client id and secret are valid, use the access code to get an access token from the Live SDK
parse the Live SDK access token to retrieve the id value
try to find the corresponding id value in the AspNetUserLogins table
If the login is not found, add a new AspNetUser record for the user and a record in the AspNetUserLogins table
create a token for the user and return the token
Once the app has the token, it can be stored in the Credential Locker for any other calls to the WebApi
I have a Native Client registered in our Azure AD.
When i'm using
var ar = _context.AcquireToken(resource, clientId, returnUri);
It opens the Prompt for Username and Password. If I enter them correctly I get a valid AccessToken and everything is fine.
When I'm now trying to enter the credentials in code, via UserCrendtial:
var credential = new UserCredential("username", "password");
var ar = _context.AcquireToken(resource, clientId, credential);
But both resulting in an Error when I'm trying it with the directly entered Credentials.
AADSTS65001: No permission to access user information is configured
for '4915f024-blah-blah-blah-f580ab5b0487' application, or it is
expired or revoked.
I have tried the normal (string, string) and the (string, SecureString) overload of the UserCredential.
I have tried it with the exact same combination of username & password, which I have entered in the Prompt, of the first overload from AcquireToken.
I have also tried to give the Application in Azure all the Delegated Permissions:
Read directory data
Read and write directory data
Access your organization's directory
And added Windows Azure Service Management API Application with Permission:
Access Azure Service Management
Nothing helped.
As a sidenote, the Application in the Azure has permissions to a SharePoint O365 Tenant. To Read and Write ListItems I don't know if this is relevant. The Resource i'm passing through is the SharePoint Adress.
I don't need any user access over the Graph Api to the Azure. I only need that AccessToken to access our SharePoint Online.
Edit:
Architecture:
Description:
We have a Web Api Project which handles the User Authorization, Load Balancing etc. This Web Api Project, will be queried by either Native Dekstop Clients or Hybrid HTML5 & Javascript Mobile Device Apps.
The Web Api Project needs to Read, Create, Update & Delete Data from our SharePoint O365 Tenant. So this where I need the AccessToken to init a ClientContext or send i via a rest response.
Since the Web Api handles the User authorization, there is an endpoint for users to login already and in this endpoint I want to acquire the Token. That's why I want it to be silent, because the "flexbile browser popup" is already there.
Maybe I don't need in this scenario the Token acquiring with Username / Password, but then I don't know how to configure the Azure App right to work with all the different native client's.
not sure if it's your case but you can use :
built in auth (setting 'on' in webapp options; then create express app or/and then chose advanced mode with same apps ids);
then add AD native client app;
login to old classic portal there select native app and in config add access to you express/advacsed web app;
after that you will able login in browser; and with adal lib will able login to access you api from mobile devices;
for more see ms docs and samples;
The direct use of username and password has important limitations, please make sure you are not stumbling on any of the ones listed in http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/.
Also note, nothing that requires displaying a user consent screen (as all the permissions you described will) or specific disambiguation steps (like trying to use a guest user from X to access a resource protected by tenant Y) will work.
What is your scenario? Any specific reason for which you want to use username/password instead of the more flexible browser popup?