I have a problem auth with microsoft graph api. I never work with it.
I try to write application responsible for downloading attachments from mails.
The program will be scheduled from platform so it cannot get admin consent (therefore authorize using Client Credentials).
Every code example I found required an user interaction to sig in on microsoft to get a token.
I received from admin in my company below items:
clientID, tenantID, app name, mailbox address
and permission EWS.AccessAsUser.All (should I request about Mail.Read permission? mailbox can be easily migrate to 0365. If I well understand EWS is for exchange)
I'd like to connect to mailbox and download attachments.
Is any way to receive authentication with clientID, tenantID ? any provider exist ? without user interaction to get a token?
You can obtain an app-only token by using Microsoft Graph Java SDK.
ClientCredentialProvider authProvider = new ClientCredentialProvider(
this.clientId,
this.scopes,
this.clientSecret,
this.tenantId,
this.endpoint);
IGraphServiceClient graphClient = GraphServiceClient
.builder()
.authenticationProvider(authProvider)
.buildClient();
You can find a full example in the java spring webhook sample. There's however a small caveat because of the authentication SDK as described here.
The permission you need to request is Mail.Read of type Application Permission under Microsoft Graph in the application registration portal. Once you've added that permission, do not forget to click the Grant admin consent for XXX button on top of the permission list (this is how you grant permissions if you don't have a UI flow).
Lastly, EWS is a separate API from Microsoft Graph, you shouldn't need any permission for it in your case.
you can get Access token using below code reference from Microsoft which uses Java SDK.
https://github.com/Azure-Samples/ms-identity-java-daemon/blob/master/msal-client-credential-secret/src/main/java/ClientCredentialGrant.java
Related
I'm building a small Java client with a Angular frontend to be distributed to clients.
At the moment I have a login screen via Angular which returns a valid firebase token. Where I'm unsure is how can I use that token to authenticate the user against the Java part of the application, so the Java client can perform actions such as file uploads.
With the Admin SDK I can do something like:
public FirebaseAuth firebaseAuth() throws IOException {
FileInputStream serviceAccount = new FileInputStream(new ClassPathResource(SERVICE_ACCOUNT_KEY).getFile());
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl(String.format("https://%s.firebaseio.com/", DATABASE_NAME))
.build();
FirebaseApp.initializeApp(options);
return FirebaseAuth.getInstance();
}
Which I can then go on the standard flow of of validating the token against Firebase and getting the user details.
Since I'm distributing both the Angular frontend and the Java client to end users, I can't use the Admin SDK.
How do I go about solving this? Is there some other type of flow I should be looking into? or can I make use of the Firebase token somehow?
The Firebase Admin SDK doesn't have the ability to scope its access to a single authenticated user. It's intended for use on backend systems that you control fully. Initialized with a service account, it will have permission to do anything that service account can do. It's not intended to be distributed to end users or any entity that you don't trust with full access to your Firebase project.
When it comes to actually authenticating the end user, Firebase Authentication is only meant to be used in the client apps (Android, iOS, web, and derivative environments).
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I'm currently working on an AWS mobile app project in Android Studio, and I'm currently trying to set up a MQTT-connection to AWS IoT through AWS Cognito & IAM authentication.
If I run the MQTT-client as a stand-alone project without authentication, assuming an unauthenticated IAM role, I'm able to connect to MQTT, and subscribe & recieve from the given topic.
However, once I try to run my MQTT-client through an authenticated user (through a log-in on my mobile app), the client is restricted, and constantly tries to reconnect.
I enabled logging in AWS CloudWatch, and the following debug message is given:
"... EVENT:MQTT Client Connect MESSAGE:Connect Status: AUTHORIZATION_ERROR"
The unauth and auth roles in the IAM console have identical policies & resource access, yet something's stopping the MQTT connection.
PS. The Auth role can, in my app, access userfiles & S3, the probelem seems to be unique for IoT access.
Does anyone know if it's possible to allow connections through an authorized user without using cert-files, if so, how? Unless I'm mistaken Cognito and IAM should be able to perform the required authorization to access resources (and it does, as long as I'm not logged in to the auth role)
Appreciate any tips I can get at this point, been struggling for a while.
I eventually figured out the issue by reading the AWS documentation more thoroughly.
The AWS credentials provider does not store the required information to authorize access through AWS. So I solved the issue by retreiving the required user tokens into a hash, and setting these to the credentials provider, and the issue was finally solved.
AuthenticationResultType authenticationResultType = new AuthenticationResultType();
String idToken = authenticationResultType.getIdToken();
// Initialize the AWS Cognito credentials provider
credentialsProvider = new CognitoCachingCredentialsProvider(
getApplicationContext(),
COGNITO_POOL_ID,
MY_REGION
);
Map<String, String> logins = new HashMap<String, String>();
logins.put("yourAWSEndpoint", idToken);
credentialsProvider.setLogins(logins);
I have read and implemented my own Auth server following this tutorial from Spring. There are multiple SSO providers - Facebook, Github and a custom auth server. In this tutorial, the auth server contains the handling of other SSO providers.
I have a separate resource server that links to my auth server using the following properties:
security.oauth2.resource.userInfoUri=http://localhost:9000/user
I am able to get the token from my auth server using a cUrl command:
curl acme:acmesecret#localhost:9000/oauth/token -d grant_type=password -d username=user -d password=...
{"access_token":"aa49e025-c4fe-4892-86af-15af2e6b72a2","token_type":"bearer","refresh_token":"97a9f978-7aad-4af7-9329-78ff2ce9962d","expires_in":43199,"scope":"read write"}
But what I fail to understand is how can I use the other SSO providers to get such token as well from the auth server? The resource server should not care how did I get the token and whether I am authenticated using Facebook or my custom auth server. It should simply ask the auth server what is the Principal (logged user) and then decide which resources to show him, right?
I don't have any UI and this will be backed for a mobile application so I need to udnerstand how to handle the authentication using REST reqeusts.
If I understand your question correctly,
how can I use the other SSO providers to get such token as well from
the auth server?
This custom Auth server is abstracting out your interaction with FB or Github and issuing you it's own token. The token that your custom Auth server spitting out is not an FB or Github token, it's a token generated by your custom Auth server (After authenticating with FB/Github token).
Then why do we need FB/github?
How else your custom Auth server can identify a person, It sure can use user Id and Password; consider 'login with FB' as another nice option it gives to the user.
How to add other SSO providers like digitalocean in addition to FB and github?
Just do the same as we did for FB and Github (register a client id with digital ocean and then in auth server application, Add client Id and secret in the properties/yaml file etc)
The resource server should not care how did I get the token and
whether I am authenticated using Facebook or my custom auth server. It
should simply ask the auth server what is the Principal (logged user)
and then decide which resources to show him, right?
Yes, your understanding is correct.
Edit (To answer question asked in the comment)
But lets say I log in with Facebook through my Auth server. Where do I
find the token that I can use with the Resource server? Let's say I
have a RestClient and want to make a request to obtain some resource
belonging to a user which went through the Facebook auth process via
my auth server. Where do I find the token to use?
If that's a requirement, I think you can use this example instead; you may not need a custom auth server as such. Whole point of having custom auth server is abstracting out the interaction with FB or github.
Or
If you still want to go with custom auth server direction, then expose an endpoint from Auth server (which will get you the resources you need from FB) and then make use of that from your resource server.
When connecting to the google services from a desktop app user is required to enter access code provided to him to generate accessToken.
I can't quite understand how to properly save it and restore into GoogleCredential so user wouldn't have to authorize my app on every launch.
Can somebody provide me with a code snippet of this process or a more detailed instruction than the one Google provides?
First you have to register your project into the Google Developer console. From the console your will get some credentials like: cliend id, client secrets.
Now when you want to authorize your application u need to get an access token. But before u have to get an "authorization token". For this u need to use an url like this
https://accounts.google.com/o/oauth2/auth?
redirect_uri=yourredirectpage&
response_type=code&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&
approval_prompt=force&access_type=offline
The response of this request contains the authorization token. Now you can exchange the authorization token for the access token with another request:
https://accounts.google.com/o/oauth2/token?
code=4/oIdtdqPBW67CTSpijkm_fbwCqMjF_WJPiSmvsq8zScA.Ilw2ePhp3fQeoiIBeO6P2m_Usz4vlgI&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
client_secret={your_client_secret}&
redirect_uri=yourredirectpage&
grant_type=authorization_code
Where "code" is the authorization_token.
For more details check this: Google Api OAuth