I am trying to use the .NET SDK (2.3.35.0) and create an endpoint (APNS subscription). I already have an application defined in AWS and have an Application arn. I have one APNS token (endpoint) already stored and through the console I have been able to send push notifications to that device.
What I am having a hard time with is sending a createPlatformEndpoint to Amazon's SNS system. I am getting this error:
"Message": "An error has occurred.",
"ExceptionMessage": "Request is missing Authentication Token",
"ExceptionType": "Amazon.SimpleNotificationService.AmazonSimpleNotificationServiceException"
This is my method for sending the request:
public void addAPNSSubscription(string platformAppARN, string deviceToken)
{
using (var client = new AmazonSimpleNotificationServiceClient(_snsAccessKey, _snsSecretAccessKey, _snsClientConfig))
{
var endpointRequest = new CreatePlatformEndpointRequest { PlatformApplicationArn = platformAppARN, Token = deviceToken };
endpointRequest.CustomUserData = "Testing from .NET";
var result = client.CreatePlatformEndpoint(endpointRequest);
}
}
I am sure the missing Authentication Token is an OAuth token, I just don't know how to get that through the .NET SDK. Thanks in advance for the help.
I am stupid. I was using an existing class, and assumed the config properties were being read properly. They weren't. When I fixed that issue, the request went off without a problem.
Related
Is there anyway to send a teams message to a channel or chat that doesn't involve the end user of an app being asked to sign in? What I am trying to do is something like this:
User does something on my web app
Without user interaction, my web app sends a message to a chat or channel on Microsoft Teams
I tried to send it as myself for testing (planned on using a service account later), but after some reading, I've come to find out isn't possible using application API permissions, as documented here:
Here is the code I have that would work if I wasn't using application permissions:
var tenantId = "...";
var clientId = "...";
var clientSecret = "...";
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential);
var chatMessage = new ChatMessage
{
Body = new ItemBody
{
Content = "Hello World"
}
};
await graphClient.Teams["..."].Channels["..."].Messages.Request().AddAsync(chatMessage);
It throws this exception:
Microsoft.Graph.ServiceException: 'Code: Unauthorized
Message: Message POST is allowed in application-only context only for import purposes. Refer to https://docs.microsoft.com/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams for more details.
Inner error:
AdditionalData:
date: 2023-02-16T04:46:02
request-id: 3cbd9dc8-a86a-43e9-a5fe-e9e9b3433566
client-request-id: 3cbd9dc8-a86a-43e9-a5fe-e9e9b3433566
ClientRequestId: 3cbd9dc8-a86a-43e9-a5fe-e9e9b3433566
Is it possible to send a message to a teams chat/channel without user interaction?
As per the documentation, application permissions are supported only for migration purposes. For this, your team and channel both must be created in a migrated state. However, you can use this graph API in a delegated context (with signed-in user).
Reference Document: https://learn.microsoft.com/en-us/graph/api/chatmessage-post?view=graph-rest-1.0&tabs=csharp
Using proactive messages you can send a message to a teams chat/channel without user interaction.
Reference Document: https://learn.microsoft.com/en-us/microsoftteams/platform/resources/bot-v3/bot-conversations/bots-conv-proactive
I am trying to add/update a value to a custom extension attribute for a user in Azure AD B2C. The attribute is an AccountNumber with the type as string. I have two different Azure environments I'm working out of. One is for my local/staging environments, and the other is client's production Azure environment. My local and staging are working fine, but I cannot seem to get this attribute to get updated through the production instance, which is leading me to think I'm missing some sort of permission/configuration within the Azure instance itself rather than code, but let's see.
Here are the steps I've taken in Azure:
Within the B2C I've setup my application. For the API Access section I have 2 selections
Acquire an id_token for users (openid)
Acquire a refresh_token for users (offline_access)
I have two user flows both of which are returning AccountNumber as a claim.
Within App registrations (NOT legacy), I've added my application as well. It does have a warning about not being supported yet in B2C, but I have this in my staging instance as well. I have the following for API Permissions that have been selected for this application. I've gone back and forth adding the offline_access, openid, and profile. (All are uder Microsoft Graph Delegated)
User.Read
User.ReadWrite
offline_access
openid
profile
In App registrations/Authentication tab I've enabled implicit grant flow and checked both Access tokens and ID tokens
Ive taken the b2c-extensions-app app ID and saved it within my code for using to update the extensions attribute (dashes removed)
Web.config
<add key="ida:NonAdminScopes" value="User.Read User.ReadWrite" />
<add key="ida:AdminScopes" value="Directory.AccessAsUser.All User.ReadWrite.All Group.ReadWrite.All" />
Here is where I'm building and making the request. Yes, I realize I'm doing this a more manual way, but I'm also working with Sitecore which has required me to keep some older dlls and this is where I've landed after days of frustration.
private async Task<string> SendGraphPatchRequest(string json, string objectId)
{
var graphEndpoint = new Uri(string.Format("https://graph.microsoft.com/v1.0/{0}/users/{1}", Tenant, objectId));
HttpResponseMessage response;
using (var httpClient = new HttpClient { BaseAddress = graphEndpoint })
{
using (var requestMessage = new HttpRequestMessage(new HttpMethod("PATCH"), graphEndpoint))
{
var token = await GetOrCreateAccessToken();
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
if (!string.IsNullOrEmpty(json))
{
requestMessage.Content = new StringContent(json, Encoding.UTF8, "application/json");
}
response = await httpClient.SendAsync(requestMessage).ConfigureAwait(continueOnCapturedContext: false);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
Logger.Error(string.Format("Error -> RequestMessage: {0}", error));
object formatted = JsonConvert.DeserializeObject(error);
throw new WebException("Error Calling the Graph API: \n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
}
}
return response.Content.ReadAsStringAsync().Result;
}
The line that is creating the access token does use ClientCredentials
_accessToken = await _authContext.AcquireTokenAsync("https://graph.microsoft.com/", _credentials);
An example of the request body content
{"extension_[extensionAppId]_AccountNumber":"123456"}
And when I try to make this request with Postman (I had a line of code where I was logging the token that gets created from the above code snippet - not sure if that will actually work or not), here is the response I get back:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "####",
"date": "2019-08-21T15:06:45"
}
}
}
Incorrect permissions on the App Reg for MS Graph API.
Probably you have consented to other permissions in your dev tenants then deselected them later, it doesn’t remove consent.
Add read/write directory under Application permissions since you use client credentials in code,delegated permissions won’t do anything here. Also click Grant Permissions once you save the new permissions.
I downloaded the example below to get an access token from MS Graph and it worked fine. Now I changed the code to get a token from a custom web API. On apps.dev.microsoft.com I registered a client application and an the API.
Client and server registration in AD
private static async Task<AuthenticationResult> GetToken()
{
const string clientId = "185adc28-7e72-4f07-a052-651755513825";
var clientApp = new PublicClientApplication(clientId);
AuthenticationResult result = null;
string[] scopes = new string[] { "api://f69953b0-2d7f-4523-a8df-01f216b55200/Test" };
try
{
result = await clientApp.AcquireTokenAsync(scopes, "", UIBehavior.SelectAccount, string.Empty);
}
catch (Exception x)
{
if (x.Message == "User canceled authentication")
{
}
return null;
}
return result;
}
When I run the code I login to AD via the dialog en get the following exception in the debugger:
Error: Invalid client Message = "AADSTS65005: The application
'CoreWebAPIAzureADClient' asked for scope 'offline_access' that
doesn't exist on the resource. Contact the app vendor.\r\nTrace ID:
56a4b5ad-8ca1-4c41-b961-c74d84911300\r\nCorrelation ID:
a4350378-b802-4364-8464-c6fdf105cbf1\r...
Error message
Help appreciated trying for days...
For anyone still striking this problem, please read this:
https://www.andrew-best.com/posts/please-sir-can-i-have-some-auth/
You'll feel better after this guy reflects all of your frustrations, except that he works it out...
If using adal.js, for your scope you need to use
const tokenRequest = {
scopes: ["https://management.azure.com/user_impersonation"]
};
I spent a week using
const tokenRequest = {
scopes: ["user_impersonation"]
};
.. since that is the format that the graph API scopes took
As of today, the V2 Endpoint does not support API access other than the Microsoft Graph. See the limitations of the V2 app model here.
Standalone Web APIs
You can use the v2.0 endpoint to build a Web API that is secured with
OAuth 2.0. However, that Web API can receive tokens only from an
application that has the same Application ID. You cannot access a Web
API from a client that has a different Application ID. The client
won't be able to request or obtain permissions to your Web API.
For the specific scenario that you are trying to accomplish, you need to use the V1 App Model (register apps on https://portal.azure.com).
In the very near future, V2 apps will be enabled to call other APIs other than Microsoft Graph, so your scenario will be supported, but that is just not the case today. You should keep an eye out on our documentation for this update.
In your (server) application registration in AAD, you need to specify your scopes in the oauth2Permissions element.
You may already have a user_impersonation scope set. Copy that as a baseline, give it a unique GUID and value, and then AAD will let your client request an access token with your new scope.
Building on the example here I'm attempting to authenticate an MSA login on the client, and have it authenticate service-side as well. The difference with mine is I'm using the new WebAccount-related API's in Windows 10 instead of the now deprecated Live SDK.
So far I've got:
var provider = await WebAuthenticationCoreManager.FindAccountProviderAsync("https://login.microsoft.com", "consumers");
var request = new WebTokenRequest(provider, "service::wl.basic wl.emails::DELEGATION", "none");
var result = await WebAuthenticationCoreManager.RequestTokenAsync(request);
if (result.ResponseStatus == WebTokenRequestStatus.Success)
{
string token = result.ResponseData[0].Token;
//This calls my custom wrappers around the Live REST API v5 and runs successfully with this token
var acc = await LiveApi.GetLiveAccount(token);
var jtoken = new JObject
{
{"authenticationToken", token}
};
try
{
//Shouldn't this work? but raises a 401
await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount, jtoken);
//Alternate method? Also raises a 401
//await App.MobileService.LoginWithMicrosoftAccountAsync(token);
}
}
As I mentioned in the comments, all I get are 401s.
As far as I can tell the application is configured correctly in Microsoft Account dev center:
I'm using the client ID and secret from the same app in the Azure portal.
JWT issuing is not restricted.
Redirect URL is of the format https://{appname}.azurewebsites.net/.auth/login/microsoftaccount/callback
Authentication works fine when I switch to use purely server-side authentication. i.e.
await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount);
Any ideas? Am I missing something? Any help would be appreciated.
UPDATED:
The token I get back in the WebTokenRequestResult is 877 characters long and does not appear to be in the JWT format, with the dot (.) separators and I'm quite certain that this is the issue. The following error gets logged in service when the client calls the code above:
JWT validation failed: IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'EwCQAq1DBAAUGCCXc8wU/zFu9QnLdZXy+...Zz9TbuxCowNxsEPPOvXwE='.
Application: The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'..
Application: 2015-12-07T17:47:09 PID[5740] Information Sending response: 401.71 Unauthorized
What format is the token currently in? Can it be transformed to a JWT?
Still no closer to a solution, so any help is appreciated.
Anyone feel free to correct me, but it looks like RequestTokenAsync gets you an access token which you can't use to login the backend. You need an authentication token for that, and as far as I can see RequestTokenAsync doesn't get you that.
There's some info here about the tokens.
If people end up here searching for a solution for App Service Mobile, the update to MobileService. Then there is now a solution
The code replicated here is:
async Task<string> GetDataAsync()
{
try
{
return await App.MobileService.InvokeApiAsync<string>("values");
}
catch (MobileServiceInvalidOperationException e)
{
if (e.Response.StatusCode != HttpStatusCode.Unauthorized)
{
throw;
}
}
// Calling /.auth/refresh will update the tokens in the token store
// and will also return a new mobile authentication token.
JObject refreshJson = (JObject)await App.MobileService.InvokeApiAsync(
"/.auth/refresh",
HttpMethod.Get,
null);
string newToken = refreshJson["authenticationToken"].Value<string>();
App.MobileService.CurrentUser.MobileServiceAuthenticationToken
= newToken;
return await App.MobileService.InvokeApiAsync<string>("values");
}
Hope it saves somebody time !
I am using the latest facebook c# sdk (http://facebooksdk.codeplex.com/). After i have sent an apprequest, i want to delete the request id.
This is how i do it at the moment:
var app = new FacebookClient(appid, appsecret);
app.Delete(requestID);
But i am not sure if its get deleted or not. If i try to see if it still exist using the graph api i get:
{
"error": {
"type": "GraphMethodException",
"message": "Unsupported get request."
}
}
But the user still has the request in his notification area. So my question is> Is the request deleted, or did i miss something? Thanks
var url = "https://graph.facebook.com/{0}?access_token={1}";
fb.Delete((String.Format(url, fullRequestId, fb.AccessToken)));
First parameter is requestId and user id like -> fullRequestId = requestId + "_" + fbUser.id
Second parameter is Accesstoken
I'm just getting started on this myself, but I'm guessing that you need to instantiate the FacebookClient with the authorization code from the user, not with your application data. The way I understand it, the request is sent by the user not your application. Hence the need to use the users authorization code to get information about the requeset.
This is what's working for me (sorry it's VB.Net):
Dim fb As FacebookClient = New FacebookClient(Config.FacebookAppId,Config.FacebookAppSecret)
Dim result = fb.Delete(String.Format("{0}_{1}?access_token={2}", facebookRequestId, facebookUserId, fb.AccessToken))