I writing a WCF service that is hosted in Azure as a (PaaS). The service in turn needs to talk to Sharepoint 2013 Online/Office 365.
I was looking at using the Sharepoint Client object model to talk to it, but keep getting the following error: "The remote server returned an error: (403) Forbidden"
When we login to access the SharePoint instance through a browser it usually takes you to https://login.microsoftonline.com/login.srf so you can log in using a Live Id. The problem is we are using a federated account and not a Live Id, and therefore get redirect again to a adfs site to login .
I've looked at a code sample at http://www.wictorwilen.se/Post/How-to-do-active-authentication-to-Office-365-and-SharePoint-Online.aspx that is using claims based authentication, but this always fails with an "Authentication Failed" message when trying to retrieve Saml Token.
If I understand this correctly. One way of doing this is to get the Saml Token, pass this to SPO, which will in turn return two cookies which I need to include in the requests made with the Client object model. Problem is I'm not finding any proper examples on how to authenticate using the Federated account in C#.
Can anyone point me in the right direction, as to how I might proceed authorizing my WCF service to talk to SharePoint.
Sorry if this is in the wrong forum. I'm not exactly sure whether this is an Azure issue or just SharePoint as I'm pretty new to both technologies.
Try the following blog article. The ability to access the Office 365 API was just announced last month and the ability to call this from your web service is pretty new. This article is a good tutorial on the subject.
Hi just in case that we registered as an Office365 reseller a few days ago i had to learn one painfull lession: The auth. token you get from sharepoint is only valid for 2 hours! Maybe that will change in Sharepoint 15 who knows...
I thought this could be an valuable hint because there is no known workaround...
Have you tried taking Wictor's sample code and just replacing the login.srf URL with your ADFS login endpoint?
Keep fiddler open as you try this out, and inspect the requests/responses each time, you will probably see more detail as to why things aren't working within the response body that C# hides away in its object model.
Check out this blog post too, on how to get the auth token from ADFS using anything where you can create a SOAP envelope:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
I know this is an old post, but using SharePoint Online through an App without using an App Principal may be a violation of your license agreement. You should be using true OAuth and the TokenHelper class that is part of the SDK to use the app model properly.
Use an Office 365 SharePoint site to create an environment where you can use ACS to establish trust between a provider-hosted app and an on-premises SharePoint 2013 farm, just as you would if you were developing apps for an Office 365 SharePoint site.
You can visit the following link for further understanding:
http://msdn.microsoft.com/en-us/library/office/dn155905(v=office.15).aspx
I was getting a 403 while trying to do similar with the SharePoint object model. All I had to do to rectify it was include the user agent.
Answer here Using WebRequest to obtain cookies to automatically log into Sharepoint Online, getting variour errors
Hope it's of some help.
Related
I wanted to upload files to Google Drive using Google Drive API in ASP.NET MVC C#.
While doing that I have followed the below URL:
https://qawithexperts.com/article/asp-net/upload-file-to-google-drive-using-google-drive-api-in-aspnet/236
While implementing the code after calling my API google redirect to an error page showing
Error 400: redirect_uri_mismatch
I want to clarify that I have mentioned the right/correct URL as mentioned in the project properties please look into my issue.
I am attaching the screenshot which contains the redirect_uri.
The redirect uri must exactly match the one you have registered in Google developer console
If we look at your image you have the following two redirect uris registered
http://localhost:60581/
http://localhost:60581/api/TwilioWP/CallGoogleAPI
This means that Google will accept only those two redirect uris from your application. The test is an exact match.
Now if we look at the error message we can see that your application is sending
http://127.0.0.1:57628/authorize/
As you can see this does not match the ones you have registered. What you should do is copy that one and add it.
Note if your ide is changing ports you need to set it to a static port or its not going to work. It needs to match exactly
Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications
Your reall issue.
The tutorial you are following uses GoogleWebAuthorizationBroker.AuthorizeAsync This method is designed for use with an installed application. So in fact the credentials and client type you are using is wrong. If you want to use that code you need to create native or desktop client.
If you try to host this as it is it will attempt to open the web browser on the server. When what you need to do is open the web browser for user consent on the users machine. You should be following web-applications-asp.net-core-3 if you want to be able to authorize a user using your web application.
I offer you my tutorial on Asp .net core 3 and Google login which has a link to the YouTube video on the same topic.
So the real cause of your problem is that you are using code for an installed application which has a default redirect Uri of http://127.0.0.1:{Port}/authorize/ and you are trying to use this for a web application. Which will need to have the host set to that of your web domain.
I have been in touch with the author of the tutorial you are following. I suspect they will be addressing the issue soon. Twitter thread
I need to manipulate programmatically emails on exchange online mailbox from windows service APP. The company use ADFS based authentication to Office365 and exchange online. What is the best and easiest way to authenticate and get connection to a mailbox in this scenario? There are many posts and articles but they are very confusing. Any code examples will be appreciated.
After deeper investigation looks like best way to go is to use EWS - exchange web services https://msdn.microsoft.com/en-us/library/office/jj900168(v=exchg.150).aspx . Works pretty well.
I am coding against the OneDrive C# SDKand I have a few questions.
Question 1.
Does the OneDrive C# SDK use the Microsoft Graph API under the hood?
... If so, how can I use the SDK to pass in my client_Id and client_secret and authenticate as a service or daemon app instead of a traditional OAuth for a user?
I have proofed out the authentication for a service with REST calls but I am trying to proof out if it is still possible to use a C# SDK instead.
Question 2.
I found this article Azure Active Directory Graph Service Tutorial. After following the example I am able to create an HTTP POST call and return an access_token. My question is there a way to use this token in conjunction with the Microsoft Graph CSharp SDK or OneDrive CSharp SDK to serve as the authentication process?
Update:
Okay, I was able to proof out some more and having a working code, but I am now getting an error around {Code: InvalidAuthenticationTokenMessage: Access token validation failure.
I did the exact same call with Postman and was able to get data back with REST calls, is REST the only way to achieve this?
I created a gist for my attempt: Code
Solved
On line 62 in the gist, I was hitting the wrong resource. The correct resource is https://graph.microsoft.com
I cant seem to find the relevant resource for learning this. I am trying to achieve a simple login for my C# application where users will be required to authenticate to use the application, and such the users account level would determine what can be accessed inside the app.
Lets say i have a forum and i want my users to authenticate via the application using the forum credentials, is this possible? what should i know about Security and how is this accomplished?
My thoughts would be i should be able to authenticate using some kind of SQL library? though i am new to C# so i might not be on the right track here.
Thanks for your suggestions.
To authenticate with a web site (forum) you need something like OAuth, see this guide for example. The website needs to provide OAuth.
Authenticating with a web site that was not explicitly designed to support an app client is not really possible, at least not correctly.
I followed this Microsoft Azure Mobile Service Authentication Tutorial, to try to add a server authentication function for my Windows Store C# app. However, after completing every step, when I run my app, it showed that the application cannot connect to the service.
I found this useful blog tallking about troubleshooting Azure Authentication issues in Azure Mobile Service. To troubleshoot, I type the link in the firefox web browser: myServiceUrl/login/aad, but I receive the error response:
Authorization has been denied for this request.
I also followed the same tutorial to test with Google Log in. It turns out to work properly. And when I type the link: myServiceUrl/login/google, the web browser directed me to the google log in page, unlike the Unauthorization error message when I type in myServiceUrl/login/aad.
Although google log in works out fine, but it is desired for us to use Azure Active Directory authentication. Could anyone tell us what could possibly be wrong? Any troubleshooting suggestions are also appreciated. Thank you.
The "Application cannot connect to the service" error comes from whenever the Web Authentication Broker in Windows receives an error response from the resource it is trying to reach. There are a couple of issues that can cause this, and I'll try and address the most common ones.
I noticed the tutorial you linked to is for the .NET backend. If you are using the Mobile Services .NET backend, there is an extra step required to configure the AAD server flow, and it's a common cause of the issue being described. In the tutorial, it's under the title "Configure your .NET mobile service for AAD login." On the backend project, you will need to install the Mobile Services .NET Backend Security Extension NuGet package. Then, in WebApiConfig.cs, you will need to include
options.LoginProviders.Remove(typeof(AzureActiveDirectoryLoginProvider));
options.LoginProviders.Add(typeof(AzureActiveDirectoryExtendedLoginProvider));
This allows the runtime to use the server flow in addition to the client flow (leveraging the Active Directory Authentication Library) which was first released with the .NET backend.
Pending that, or in the case of the Node runtime, the next thing to do is check the AAD configuration. In the AAD portal, make sure that your application registration uses your mobile service's /login/aad endpoint for the resource URI. It must match exactly the value provided in the Mobile Services portal. This should also be one of the redirect URIs if you are using the Node backend. For .NET, you would use the /signin-aad endpoint for the redirect URI instead.
You should also check that you have copied the Client ID from the AAD registration and pasted it into the Mobile Services portal's Identity Tab. For completeness, the "Allowed Tenants" field should also be filled out, but I don't believe it is the cause of this issue.
Lastly, if your AAD tenant is federated with ADFS, then there is a wide range of issues that could lead to this. The biggest case comes from the WAB needing to be configured for Enterprise Authentication. This typically only causes problems when the device is domain joined / on the corporate network. That behavior is a known bug for the Mobile Services Windows Store SDK, but there is a workaround available. Glad to provide that if needed.