I follow the guide on this URL for acquire a azure accessToken.
https://github.com/Azure-Samples/active-directory-java-native-headless
I'm able to acquire the token both accessToken and idToken.
In result I can also access to user info.
But when I'm going to use the access Token for query graph I have unauthorized access ( 401 ) .
Also if i use the same accessToken from Postman is the same.
According to the guide, it just grants the user.Read permission, so you could get the user info with token.
If you want to access other graph resource, you need to grant the other delegate permisson.
We could get the premissions information from the corresponding Microsoft Graph API.
Take get user API for example at least User.Read is required. If you want to access other Microsoft Graph API, we need to know what permission is needed. If possible, you could add the related information into the question.
How to add the delegate permissons, please refer to this screenshot
Related
I'm using Xero-Java and I'm trying to push invoices to Xero. The scopes I requested in the Ouath2 authorization were:
openid
email
profile
offline_access
accounting.settings
accounting.transactions
accounting.contacts
accounting.journals.read
accounting.reports.read
accounting.attachments
Invoking the AccountingApi.updateInvoice() method throws the error:
com.xero.api.XeroApiException: Unauthorized - check your scopes and confirm access to this resource
I was under the impression that the scope accounting.transactions would allow pushing Invoices to Xero. Where is my problem and how do I fix it?
Thanks.
Looking at some logs, it seems that your access token has expired. Access tokens only live for 30 minutes.
As you've used offline_access, you can acquire a new access token for the same user by using the refresh token provided during user authorisation with a refresh request as outlined in the Readme of the SDKs github repo.
You'll probably want to check token expiration prior to each call to the Xero API.
I have an application in whick an user can login with google. Than the user during his experience into the application can choose to integrate also the GoogleCalendar service. In order to achieve this my actual system works like the follow:
-when the user log in with google the system store his access and refresh token and calls Google to retrive basic profile information. In order to do that I create a GoogleCalendar object using the following call:
GoogleTokenResponse response = flow.newTokenRequest(code).setRedirectUri(GOOGLE_CALLBACK_URI).execute();
GoogleCredential credential= new GoogleCredential.Builder().setJsonFactory(Constants.JSON_FACTORY)
.setTransport(Constants.HTTP_TRANSPORT).setClientSecrets(Constants.GOOGLE_CLIENT_ID, Constants.GOOGLE_CLIENT_SECRET).build();
credential.setAccessToken(response.getAccessToken());
credential.setRefreshToken(response.getRefreshToken());
-When the user choose to integrate the calendar service another Oauth iteration starts and the with a new code. I ask the GoogleCredential like before and access the service.
-When the systems need to perform some operations accessing Google Calendar I create a GoogleCredential object with the following call:
GoogleCredential c= new GoogleCredential.Builder().setJsonFactory(Constants.JSON_FACTORY)
.setTransport(Constants.HTTP_TRANSPORT).setClientSecrets(Constants.GOOGLE_CLIENT_ID, Constants.GOOGLE_CLIENT_SECRET).build()
.setAccessToken(user.getAccessToken()).setRefreshToken(user.getRefreshToken());
Ans then ask for the service. But in this last case I get an error reporting 403 code and "Insufficient Permission" message.
I have checked that the stored access and refresh token I set into the GoogleCredential are the same I receive the first time getting the GoogleCredential with the "code". I also search a lot online but no solution would work. I'm really blocked into this error. Thank you in advance for the help and sorry if I miss specifing something or if I make some mistake in asking the question.
If I understand the problem you're describing correctly, incremental authorization may be what you're looking for: https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth
Specifically, add include_granted_scopes=true to your authorization URLs which should cause the resulting tokens to include the sum of all so-far-granted authorizations.
I wonder if someone can help me understand the difference between Access Tokens, App Access Tokens and when to use each.
My problem if that when I use the restFB libraries to obtain the access token:
AccessToken accessTokenT =
new DefaultFacebookClient().obtainAppAccessToken(appID, appSecret);
As I would expect it returns the App Access token. However, when i use that token to instantiate the FacebookClient object:
FacebookClient facebookClient = new DefaultFacebookClient(accessToken);
It fails with the following message:
Exception in thread "main" com.restfb.exception.FacebookOAuthException: Received Facebook error response of type OAuthException: (#200) The user hasn't authorized the application to perform this action (code 200, subcode null)
If I go to the graph explorer and manually get an access token, then use that in my code, everything works fine.
I'm sure there's something subtle I'm missing and any help would be greatly appreciated.
Many thanks
Primarily there are 3 types of access tokens-
User access token
Page access token
App access token
The documentation by facebook: Access Tokens, explains a lot about them. You can have a look.
You should initialize the facebookClient with the user access token. The user access token is obtained when a user login/authorizes the app. This token is used to query about the user(for what he has given permissions to the application). The App access token has very limited powers like: posting on behalf of the user once he has given app the authorization, or send the requests etc.
I want to get users' access_token by using Google Drive SDK in JAVA.
I completed to get access_token when user log-in first time. But, I really want to direct-login. I know access_token be expired, so 'refreshToken' can be my solution. But refreshToken is always 'null'. How can I perform direct-login? Many advices welcome.
You need to separate "login" from "access drive". Once your application has an access token for a given user/scope, it can access Drive on behalf of the user. There are two (main) ways your application can obtain an access token.
It can request access which will involve the user being logged in to grant access.
In step 1, it can request "offline" access, in which case it will be given an access token and a refresh token. It can subsequently use the refresh token to request more access tokens without the user being present.
I suspect that you want to do option 2. This is described quite well at https://developers.google.com/accounts/docs/OAuth2WebServer#offline
If you have tried this and you having problems, please paste your code and the http trace so we can look at the problem with you.
I am using an URL like the following:
https://www.google.com/accounts/OAuthAuthorizeToken?
oauth_token=ab3cd9j4ks73hf7g&oauth_callback=http%3A%2F%2Fwww.example.com
This gets redirected to:
http://www.youtube.com/oauth_authorize_token?oauth_callback=http%3A%2F%2Fwww.google.com&oauth_token=1%2FyT-RZ-5PAMCp43Wt0RAGpNUAbMKAHxq1MG_RiX3Cmtk
After the user clicks allow access, YouTube directs the page to:
http://www.youtube.com/t/oauth_token_authorized
Why is the callback not working?
Their API seems to agree with what I am doing.
In sum, you're specifying the oauth_callback too late in the process. Instead, provide it at the very beginning. For Google's provider, that's when you're calling OAuthGetRequestToken.
This Google documentation seems to get it right. Strange. I also found other documentation that explains the same thing: "The [Service Provider] MUST associate the callback URL sent in Step 1 with the request token it issues." So, you have to provide the callback URL when getting the "unauthorized" request token ("unauthorized" because the user hasn't given their permission yet). After you've done this, you can forward the user to the Authorization URL, where the user (aka resource owner) grants access explicitly for your application.
Here's a page that gives related information about OAuth 2.0.