After a lot of digging around I've got my WPF application signing users in via Azure Mobile Service. My Mobile Service is connected to an Azure Active Directory that I have set up. However, when I log the user in with MobileServiceClient.LoginAsync(...) the MobileServiceUser UserId is in an unreadable hash it seems. For example it looks like: "Aad:X3pvh6mmo2AgTyHdCA3Hwn6uBy91rXXXXXXXXXX". What exactly is this?
I'd like to grab the user's display name to use but I can't figure out how.
That is the userID of Azure Active Directory. You need to create a service to expose your AAD info through a service and retrieve the additional information using the access token you get from your user.
First:
ServiceUser user = this.User as ServiceUser;
var identities = await user.GetIdentitiesAsync();
var aad = identities.OfType<AzureActiveDirectoryCredentials>().FirstOrDefault();
var aadAccessToken = aad.AccessToken;
var aadObjectId = aad.ObjectId;
This will give you the access token and objectID , then you need to query the information through AAD graphy API.
https://msdn.microsoft.com/library/azure/dn151678.aspx
Look at the sample request part. You should provide the query with the access token you got and objectId.
Here is an alternative approach, after reading http://justazure.com/azure-active-directory-part-2-building-web-applications-azure-ad/ scroll to the section on Identity in .Net it talks how claims are a standard part of the framework. So once you get the credentials object like provided by #beast
var aad = identities.OfType<AzureActiveDirectoryCredentials>().FirstOrDefault();
You can actually grab a dictionary with the various properties. Examples of some the properties can be found at https://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes(v=vs.110).aspx
So from there you can do the following:
if (aad != null)
{
var d = aad.Claims;
var email = d[ClaimTypes.Email];
}
I did this to pull the user id which was cross referenced in a table. FYI I am using App Service, but I believe the credentials object is the same in Mobile Service
Related
I have added a custom Organization field as a User Attribute in my Azure Active Directory B2C tenant, like so:
I am using the Microsoft Graph .NET Client Library to manage users in Azure Active Directory B2C and would like to use something similar to the following code to set the user's custom Organization field and the user's built-in Email Addresses field.
await graphClient.Users[user.Id].Request().UpdateAsync(new User()
{
Email Addresses = new StringCollection("myemail#mydomain.com")
Organization = "Microsoft"
});
Two questions:
How do I set a Built-in field, like the Email Addresses?
How do I set a Custom field, like Organization?
This documentation shows how to create a custom attribute but does not tell how to access or use that attribute using the Graph Client.
This documentation shows how to create custom attributes and edit the Relying Party (RP) file.
Is there an easier way? And what is the graphClient code to then get/set these custom user attributes?
It is a bit confusing about whether the Microsoft Graph API, and hence the Microsoft Graph Client, supports the extension properties that are registered with an Azure AD B2C tenant.
When I query a user object using the Azure AD Graph API, then the custom attributes (e.g. "CreatedTime") are returned.
https://graph.windows.net/{tenant}/users/{objectId}
returns:
{
"odata.metadata": "https://graph.windows.net/{tenant}/$metadata#directoryObjects/Microsoft.DirectoryServices.User/#Element",
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
...
"extension_917ef9adff534c858b0a683b6e6ec0f3_CreatedTime": 1518602039
}
When I query the same object using the Microsoft Graph API, then the custom attributes aren't returned.
https://graph.microsoft.com/v1.0/users/{id}/extensions
returns:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('{id}')/extensions",
"value": []
}
Unless you receive a better answer, then I suggest you use the Azure AD Graph API, and optionally the Azure AD Graph Client, to get and set the extension properties for the Azure AD B2C users.
Examples of getting and setting the extension properties for users can be found at Announcing Azure AD Graph API Client Library 2.0
You are able to do this with the Micorsoft Graph API SDK.
See this example, UserService.CreateUserWithCustomAttribute() https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C
To update a custom property:
var updateUser = new User();
updateUser.AdditionalData = new Dictionary<string, object>();
updateUser.AdditionalData["extension_{app id}_{property name}"] = "new value";
var result = await graphClient.Users["{id}"].Request().UpdateAsync(updateUser);
The {app id} in the code above is the id of the app created by default with the name b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. However the "-" are all removed.
In addition to Aaron Hoffman's answer on how to set a custom attribute I use the following snippet to get my attribute:
var graphClient = new GraphServiceClient(authenticationProvider)
{
BaseUrl = "https://graph.microsoft.com/beta"
};
var user = await graphClient
.Users["{id}"]
.Request()
.GetAsync();
var field = user.AdditionalData["extension_{app id}_{property name}"];
So first step is to find in your custom policy:
<TechnicalProfile Id="AAD-Common">...<Item Key="ClientId">57ff56e7-40a0-43fd-a9a3-8d6c1544bcf4a</Item>
Custom attributes are named extension_attributename.
To get it trough graphql you will require it like this extension_{client id of the app NO DASHES responasble for storing extensions }_{attributename}
e.g. extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute as you can see this is done also in the code:
https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management/blob/master/src/Helpers/B2cCustomAttributeHelper.cs#L7-L20
example for graph call: https://graph.microsoft.com/v1.0/users/3545c38b-3f6b-4a4b-8820-e7f954a86e1e?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute
https://graph.microsoft.com/v1.0/users/{user-objectid}?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute,extension_57ff56e740a043fda9a38d6c1544bcf4a_myotherattribute,etc
I am building an integration between my organization back-end systems and BOX.
One of the scenarios is that when certain event is happening inside my organization there is a need to create a folder in BOX and add collaboration objects to that folder (connect groups to the folder).
I have no problem to create the folder but when trying to create the collaboration I am getting the following error:
Box.V2.Exceptions.BoxException: Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."
I am using BOX SDK for .Net to interact with BOX.
The application I created in BOX is assigned to use AppUser User Type and I provided all the scopes that BOX allows me (All scopes except "Manage enterprise" which is disabled).
The code that fails is (C#):
var privateKey = File.ReadAllText(Settings.JwtPrivateKeyFile);
var boxConfig = new BoxConfig(Settings.ClientID, Settings.ClientSecret, Settings.EnterpriseID, privateKey, Settings.JwtPrivateKeyPassword, Settings.JwtPublicKeyID);
var jwt = BoxJWTAuth(boxConfig);
var token = jwt.AdminToken();
var client = jwt.AdminClient(token);
var addRequest = new BoxCollaborationRequest(){
Item = new BoxRequestEntity() {
Id = folderId,
Type = BoxType.folder
},
AccessibleBy = new BoxCollaborationUserRequest(){
Type = BoxType.#group,
Id = groupId
},
Role = "viewer"
};
var api = client.CollaborationsManager;
var task = api.AddCollaborationAsync(addRequest);
task.Wait();
When running this code but replacing the Admin Token with Developer Token generated from the Box Applicaiton Edit Page it works.
Any help is appreciated
OK, I had long discussion with BOX Technical team and here is the conclusion: Using AppUser is not the right choice for my scenario because it is limited only to the folders it creates. There is no way to bypass it.
The solution is:
1. Configure the Application to use standard user
2. Create User with administrative rights that will be used by the API to do activities in BOX. I named this user "API User"
3. Follow the oAuth 2 tutorial to generate access token and refresh token that the API .Net application can use instead of generating token for the AppUser. the oAuth 2 tutorial can be found at https://www.box.com/blog/get-box-access-tokens-in-2-quick-steps/
If the app user is a member of the group(s) you want to be able to access the folder then you shouldn't need to set up a collaboration, the users should just have access.
I have multiple login providers available. I can login with external account or using forms auth. Everything works fine.
I'am redirecting user to HomePage, and now i would like to know which login provider was used.
Is there is a possibility to find out in controller, which loginprovider was used?
Thanks for help!
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
string provider = loginInfo.Login.LoginProvider; // Facebook, Google, Twitter, Microsoft...
I got this working although it's not something that would work in all cases.
Here's the code I used in a HomeController function:
// get the provider name
var authCtx = HttpContext.GetOwinContext();
var usrMgr = authCtx.GetUserManager<ApplicationUserManager>();
var user = usrMgr.FindByName(HttpContext.User.Identity.Name);
var extLoginInfo = usrMgr.GetLogins(user.Id).FirstOrDefault();
var loginProvider = extLoginInfo.LoginProvider.ToLower();
The main issue here is that I'm not getting the actual login provider that the user is currently logged-in with. I'm just getting the first login provider associated with this user (which in my case happens to be the same, so it works).
Would be great to find a way to get the actual provider that the user is currently logged-in with.
I want to Manage Device using Google API in my appilcation.How to retrieve all mobile/chrome OS device ?
CODE :
var listReq1 = service.Mobiledevices.List(serviceAccountEmail);
MobileDevices allUsers = listReq1.Execute();
Here,
serviceAccountEmail = "Service accounts Key" (Console.developer.google.com)
I am getting error like
Google.Apis.Requests.RequestError
Bad Request [400]
I tried using
var listReq= new Google.Apis.Admin.Directory.directory_v1.MobiledevicesResource.ListRequest(service,serviceAccountEmail);
Still not working ? I want all details of User just like Below Image
If you check the documentation for Mobiledevices: list
Retrieves a paginated list of all mobile devices for an account.
I will see that it takes a customer id as a parmater.
customerId The unique ID for the customer's Google account. As
an account administrator, you can also use the my_customer alias to
represent your account's customerId. The customerId is also returned
as part of the Users resource.
var listReq1 = service.Mobiledevices.List(customerId);
MobileDevices allUsers = listReq1.Execute();
You are sending service account email address which I really don't think is your customer id.
I have set a spreadsheet to public which I assume would mean a user shouldn't need authorization to access and make changes to it, I should only need to provide my client id and secret? (I'm the only person who will be using this app and the spreadsheet is on my own Google account which is also the owner of the app)
I went through the documentation here: https://developers.google.com/google-apps/spreadsheets/?hl=en
My code works perfectly - it basically just updates a single cell in a spreadsheet with a function and then returns the value of that cell.
The issue is, I don't want to have to keep authorizing through the webpage. Is it possible to skip the need to authorize? Or at least authorize through code automatically instead of manually doing it through a webpage?
using Google.GData.Client;
using Google.GData.Spreadsheets;
namespace Spreadsheet{
class Program{
static void Main(){
OAuth2Parameters parameters = new OAuth2Parameters();
parameters.ClientId = "client-id-here";
parameters.ClientSecret = "client-secret-here";
parameters.RedirectUri = "urn:ietf:wg:oauth:2.0:oob"; //I'm not even sure what this is, I assume it's only necessary for web based applications
parameters.Scope = "https://spreadsheets.google.com/feeds https://docs.google.com/feeds";
//This is where the user is required to navigate to a page and retrieve access code
string authorizationUrl = OAuthUtil.CreateOAuth2AuthorizationUrl(parameters);
parameters.AccessCode = Console.ReadLine();
OAuthUtil.GetAccessToken(parameters);
string accessToken = parameters.AccessToken;
GOAuth2RequestFactory requestFactory =
new GOAuth2RequestFactory(null, "Spreadsheet", parameters);
SpreadsheetsService service = new SpreadsheetsService("Spreadsheet");
service.RequestFactory = requestFactory;
//spreadsheet related code here..
}
}
}
Where is this script running? The code sample you are using tries to get a token every time you run it. You have two options
If this code runs on a server and it can store the refresh token securely then, manually get a refresh token and change the script to just get a new access token (using that refresh token) to do the update.
Change to using a service account. Service accounts are built to handle these kind of use cases. You get a service account and in the spreadsheet give access to service account (share with it) and using service account you make a request to get an access token that you can use.