After configuring my app on apps.dev.microsoft.com I can login with an administrator account to the mobile application with MSAL. Other users get a 403 -Forbidden when requesting data from Microsoft Graph.
What should be reconfigured for users to grant access?
App Registered Scopes:
User.ReadWrite
User.ReadBasic.All
Calendars.ReadWrite
Contacts.Read
Scope in Android App:
https://graph.microsoft.com/User.ReadWrite
https://graph.microsoft.com/User.ReadBasic.All
https://graph.microsoft.com/Calendars.ReadWrite
https://graph.microsoft.com/Contacts.Read
Requests made by App:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/me/events
https://graph.microsoft.com/v1.0/users/{user}/calendarview
https://graph.microsoft.com/v1.0/me/events/{identifier}
I suppose there was an issue with app dev web page or data was not propagated. I removed all delegated permissions from portal and app and with documentation added all permissions for my requests, even if documentation mentioned that I could choose only 1 from it. It worked for first request /users so I did it with another request. After checking that all request works in app I started to removed 'additional' permissions. It ended with only 3 permissions:
"https://graph.microsoft.com/User.ReadWrite",
"https://graph.microsoft.com/User.ReadBasic.All",
"https://graph.microsoft.com/Calendars.Read"
Related
I have an Ionic Angular app which I'm deploying to an Android device. I am using OpenID + KeyCloak for authentication, on the clientside I am taking care of this by using the angular-auth-oidc-client. The configuration I have set up is:
scope: 'openid profile tino_access',
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
responseType: 'code',
postLogoutRedirectUri: window.location.origin,
silentRenew: true,
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
logLevel: LogLevel.Warn,
postLoginRoute: window.location.origin,
useRefreshToken: true
This works perfectly fine when deployed locally or on a custom domain on my server, however when testing on a mobile phone as an app it does not work. I notice that the value of window.location.origin is http://localhost. After successful login, a request is made in the form of ${window.location.origin}/?state='token'&code='token', such that 'token' is the value of the token generated by the OAuth. When this request is made on the mobile device, the request http://localhost/?state=...&code=... is not recognized and the app fails to launch, I only get an error screen that the web page does not exist.
Is there any way to go around this problem?
Thanks
Answer: Since an app's origin is http://localhost, and a local server is not running on the phone, the solution is to change the redirect_url parameter of the auth configuration to the package id of the application. Example: com.package.id://home
This will redirect you back to the app after finishing the authentication in the OAuth page
Consider me a beginner in the dev world.
I am trying to clone my Android app client, but keeping the same server. So far so good, but when I reached the in-app purchases part it seems like my server just cannot verify the orders from the cloned new_app package - error '401 The current user has insufficient permissions to perform the requested operation.'
The order itself from the new app goes through. It is just that I verify if it is successful on server side before I give the item.
I am (I would like to) using the same webserver ClientID and Secret from both apps (why should I need separate ones?), and I suspect that corresponding access token generated which I pass in the curl URL is just not accepted for the new_app case:
curl_setopt_array($curl, array(
CURLOPT_URL => 'https://www.googleapis.com/androidpublisher/v3/applications/com.new_app_package/purchases/products/' . $sku . '/tokens/' . $purchaseToken . '?access_token=' . $token, ....
Is there some strict linkage between the webserver client / service account and the app package which I miss? I've been struggling already weeks with this dilema with no results... Hints will be appreciated
As I side note: I have given Editor rights to the service account (GoogleApis IAM); also I have given the service account emails the 'Full' rights to the app in google play console (settings/apiaccess+userpermissions) - no results
I currently have a login flow with facebook that is working 100% and I just added Google into the equation. I wrote the code so that my google provider tokens are formatted and cached in the same way as my facebook tokens. My code gets the facebook and google tokens and does the folling: (the following example is for the google login):
USER_GOOGLE_TOKEN = new JsonObject();
USER_GOOGLE_TOKEN.addProperty("access_token", accessToken);
cacheProviderToken(USER_GOOGLE_TOKEN.toString());
setCurrentProvider("google");
Then, in my authentication method in the activity, here is how I mobileserviceclient.login:
MobileServiceAuthenticationProvider provider = null;
if (getCurrentProvider().equals("facebook")){
provider = MobileServiceAuthenticationProvider.Facebook;
} else if (getCurrentProvider().equals("google")) {
provider = MobileServiceAuthenticationProvider.Google;
}
token.addProperty("access_token", googleToken);
ListenableFuture<MobileServiceUser> mLogin = mClient.login(MobileServiceAuthenticationProvider.Google, getProviderToken());
The problem is that Facebook works and Google produces a 401 unauthorized.
The specific error I get (before the future returns failed), is: W/DefaultRequestDirector: `Authentication error: Unable to respond to any of these challenges: {}. Azure logs show that it is a 401 unauthorized.
I am successfully printing the Google-Sign-In token and formatting it in the same way as my facebook tokens before trying to use them. Are my google keys wrong? I regenerated them once already and I tried setting origions to https, I tried different key combos, and I even got rid of my google-services.json(apparently its not needed). I did not use the client key that was generated on this google doc.
Another question here is how does the authentication settings of my Azure Mobile App come into play? I had originally configured my facebook before migrating from a MobileService to MobileApp, and now I do not need to use the "turnkey authentication" feature for it to work. I went ahead and entered my app key and secret for facebook, but it definitely works regardless of whether or not this is enabled. Is this a necessary feature for oauth?
Also, Depending on the token format on Login and the On/Off status of the AUthentication feature, the errror: W/DefaultRequestDirector: Authentication error: Unable to respond to any of these challenges: {}
, will have some text in the curly brackets about the azure endpoint.
Thank you so much if you can help. Such a picky issue here.
The App Service Authentication / Authorization is incompatible with a migrated Mobile Service and must remain off.
To update Authentication settings with a migrated Mobile Service, you set the app settings. For facebook, that's MS_FacebookAppID and MS_FacebookAppSecret. For Google, that's MS_GoogleClientID and MS_GoogleClientSecret.
For reference, check out https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-migrating-from-mobile-services/#authentication
How can I retrieve all connections of a profile? The user is logged in, I can successfully retrieve the profile with https://api.linkedin.com/v1/people/~?format=json but I don't know how to get all connections of a profile.
solution 1 (does not work!): I've found out, that it could be retrieved with https://api.linkedin.com/v1/people/~/connections?modified=new but that needs, as far as I found out, the r_network scope. But I can't even add this scope to my app as the appended picture shows. And just adding the scope to my request does not work, as I get a "Access to connections denied" response...
Questions:
So how can I retrieve a list of all connections?
how can I add r_network scope to my app?
The r_network scope recently changed to be a LinkedIn partner-only permission. You can apply for access to their partnership program here: https://developer.linkedin.com/partner-programs/apply
I'm trying to implement one-time code sign in flow in my system.
Application contains of two parts:
1)Android application which requests Google+ for one-time authorization code
2)Rails server that receives one-time code from android application in request header and tries to exchange code for access_token and id_token from Google+
The problem is that everything works well if I get one-time code using JavaScript sign-in button in browser, but doesn't work when one-time code is obtained by Android application and then sent to my server.
I'm getting always
"error" : "redirect_uri_mismatch"
My server settings are following:
{ "web":
{ "client_id": "MY_REGISTERED_WEB_APP_CLIENT_ID",
"client_secret": "MY_CLIENT_SECRET",
"redirect_uris": ["postmessage"],
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token"
}
}
Now, how I'm requesting one-time code from Android app:
I use the same MY_REGISTERED_WEB_APP_CLIENT_ID as on my server for requesting one-time code. I don't know, maybe I have to use on Android another client id, that corresponds to my Android application? But all found documentation and articles are pointing to registered
Web app client_id.
Or maybe my rails server should be configured not for web, but for installed type of registered in Google Console apps?
Now regarding redirect_uris.
I've tried to set several redirect_uris in Google Console:
empty field
http://localhost:5000
https://localhost:5000
http://my.deployment.url/auth2callback
Web origins in Google console are set to
- http://my.deployment.url
- http://localhost:5000
Can't figure out what I'm doing wrong.
Actually I don't understand why I need to set this redirect_uris values, since I don't want to have callbacks from Google, I just want to get access_token and use it for accessing Google+.
This is happening because the redirect_uri your android app is using to create the initial login flow is different from the redirect_uri the server is using when it tries to excange the code for an access_token. The redirect_uri the user returns to and the redirect_uri used in the token exchange must match.
The proper redirect_uri in this case is "urn:ietf:wg:oauth:2.0:oob"