I've created a SpringBoot application which authenticates users against my company's Azure Active Directory server using OAuth 2.0
Now I'd like to display the User's profile picture.
The first way I went about this was to naively embed the graph API url to the user's profile picture in an IMG tag, assuming that the browser's cookies would implicitly provide authentication for the logged-in user:
<img src="https://graph.microsoft.com/v1.0/me/photos/48x48/$value"/>
but this results in a 401 error:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token is empty.",
"innerError": {
"request-id": "71fe8fc9-e8d2-4f2e-950d-04e7d9fa64e6",
"date": "2018-09-24T07:08:50"
}
}
}
what's the best way to get the User's profile picture after AD/OAuth authentication - I'm happy to do this either by the client-side or server-side, and ideally I'd like to know both approaches
You could do it client-side, but you'd need to acquire an access token with ADAL.JS/MSAL.JS and then request for the file and set it as the content of the img element via JavaScript.
Server-side is probably easier to implement, point the img to an HTTP route in your back-end, acquire an access token, call the API, and return the bytes of the image as a result from the route.
Related
I have requirement to get the person ID from the linkedin API
https://api.linkedin.com/v2/clientAwareMemberHandles?q=handleString&handleString=test123#gmail.com
but receiving response below
{
"serviceErrorCode": 100,
"message": "Not enough permissions to access: GET-handleString /clientAwareMemberHandles",
"status": 403
}
I have the application permissions in the application r_liteprofile/w_member_social/r_emailaddress
Additionally when I requesting a access token I send these three as scope parameters.
Appreciate your guidance.
This response is from linked in api and not from API manager. Basically, this means that the call from api manager to LinkedIn api does not have a token with the correct permission.
The token which is generated by API Manager is only for authentication with api manager. If the backend server expects a token as well, you should send that particular token in the request from API-M to the backend.
You can achieve this by adding a meditation sequence to your api. Follow the example below.
https://medium.com/#menakajayawardena/wso2-how-to-using-oauth2-protected-back-ends-with-api-manager-5d7e234c61c
I downloaded the example:
https://dev.office.com/Getting-Started/office365Apis?platform=option-android#register-app
clicking on send button throws this error:
RetrofitError: 404 Not Found
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Bearer access token is empty.",
"innerError": {
"request-id": "951626d4-0168-4b58-a78a-1fdd3bd322f2",
"date": "2016-04-29T18:34:05"
}
}
}
It looks like perhaps you did not register your app before downloading the sample. The readme instruction in the sample should walk you through registering and configuring an app, at which point the login should succeed and you will get a bearer token.
You are missing an access token. From https://msdn.microsoft.com/en-us/office/office365/api/discovery-service-rest-operations:
Discovery Service operations
Initial sign in
This brings the client to a web page where the user enters account information. It returns the endpoints needed to continue with Discovery Service. This is used the first time a user tries your application. It tells your application:
what cloud the user belongs to
where the app can send the user to log in
where to go to get a token
you can continue reading it on the official site.
I am trying to make a very simple app with spring social, the app is not for public. What I am trying to achieve is to post to my wall or to the page that I administer.
Trying to ask facebook for access to manage_pages permission they denied because as they said "You do not need to request these permissions because your blog or CMS is integrated with an app that you admin. As an App admin, you can already access these permissions and post to your timeline or a page you admin. You can provide access to additional users by adding them as developers of your App."
Now in the code. I altered a bit spring social showcase example. And my case is as follows:
1) I login to facebook through my app
2) Trying to get the number of pages that I administer
3) Post to my wall.
For step two I am using this code:
if (facebook.pageOperations().getAccounts() != null) {
System.out.println("SIZE OF ACCCOUNTS IS: " + facebook.pageOperations().getAccounts().size());
}
The size of accounts is always 0. So this means that although I should be able to post to the pages that I am administrator I can not even see them. Am I correct?
For step three now:
facebook.feedOperations().updateStatus("I'm trying out Spring Social!");
facebook.feedOperations().post(new PostData("me").message("I'm trying out Spring Social!")
.link("http://www.springsource.org/spring-social", null, "Spring Social", "The Spring Social Project", "Spring Social is an extension to Spring to enable applications to connect with service providers."));
System.out.println("FEED POSTED");
both of those attempts fail with the following exception:
org.springframework.social.InsufficientPermissionException: Insufficient permission for this operation.
Could someone help please?
It seems like you have not asked/granted the permissions that you need during login. The first thing that you need to do is implement login and ensure sure that you include the correct scope i.e. permission (manage_pages) during login. Since your requirements also include publishing, include these permissions publish_pages and/or publish_actions depending on whether you want to publish as a page or yourself. e.g. if you are using the JS SDK, it would look something like this:
FB.login(function(response) {
// handle the response
}, {scope: 'manage_pages, publish_pages, publish_actions'});
Once you do this, on logging in, you will be prompted if you want to grant these permissions. On granting, your access token will contain these permissions and you will be able to make a call to /me/accounts which will give you a list of pages that you admin and their respective access tokens. It will look something like this:
"data": [
{
"access_token": "CAACEdEose0cBAAy...",
"category": "Food/Grocery",
"name": "Page Name",
"id": "1234567890",
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"BASIC_ADMIN"
]
},
...
]
If you want to publish as yourself, then you can continue using the current user access token. Else if you want to publish as a page, grab the page access token from the response above and use that to make the POST request against the page id.
And if you are creating an app for yourself and not for the public, then you do not need to submit these permissions for review provided you are an admin or have some role in the app.
You might be able to find some more context here.
I followed an instruction fro a user here, about allowing users to automatically login using their facebook account in the app that i am creating . But, i am having errors.
<%
String fbURL = "http://www.facebook.com/dialog/oauth?client_id=651066068265632&
redirect_uri=" + URLEncoder.encode("651066068265632") + "&scope=email";
%>
this is the new error that I got:
The redirect_uri URL must be absolute
also:
Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
I tried to get a new example from Graph API, and i downloaded the whole project, but this is the error i am getting::
{
"error": {
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration.",
"type": "OAuthException",
"code": 191
}
}
what should i do?
Please use the instructions on https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/ or use already existing interfaces like RestFB or Spring (https://spring.io/guides/gs/accessing-facebook/)
http://twitter4j.org/en/code-examples.html - How to provide a Twitter PIN statically during OAuth authentication, the code example talks about providing a PIN if its already available.
Our application is a standalone java application and would prefer to pass credentials via a property file without any human intervention.
Twitter will provide you the PIN code.
In the example, Twitter4J supposes that somebody will copy the URL it gave (with requestToken.getAuthorizationURL() at line 10) in a web browser and will authorize the application via the browser. After that, the user is supposed to write in the example program the PIN code displayed in its browser.
There are two big drawbacks for you in this example :
Human intervention
Which code will you give to your example program if Twitter do not give you a PIN code (and it will happen if the callback URL of your Twitter application is not "oob") ?
You will have to simulate the human intervention to get the PIN code. Unfortunately, Twitter4J does not seem to get methods to do this (I do not see such method in the Javadoc) so you will have to code yourself the following process :
Retrieve the HTML code of the web page at requestToken.getAuthorizationURL().
This HTML page contains a form whose some parameters will be posted with the username (or email) and the user's password to get the PIN code. These parameters are called "oauth_token" (the temporary OAuth token that you already have), "deny" (a tag used if you do not want to authorize the application) and "authenticity_token". All of them are in <input> HTML tags. Pick them.
Simulate the posting of the form. For this you will have to use the POST oauth/authorize endpoint. The URL is https://api.twitter.com/oauth/authorize?oauth_token=<your OAuth Token>. The request has to be authenticated following the Twitter process for Authenticating requests. This is the content of what you will post : "authenticity_token=<the form's "authenticity_token" parameter>&session[username_or_email]=<user's name or email>&session[password]=<the user's password in clear>". If you don't authorize the app, append "&deny=<the form's "deny" parameter>" in the body message. There will not be any problem for you since you have got the credentials (session[xxx] parameters) in a property file and you picked the other parameters in the form (cf 2.).
The Twitter API will give you back an web page. If the authorization was successful, the PIN will be inside. However, be careful. The PIN takes different names depending on the callback URL. If the callback URL is "oob", the PIN code is called OAuth PIN. It is a 4-digit number somewhere in a <div id="oauth_pin"> HTML tag. Otherwise, it is called OAuth Verifier. It is contained in a URL located in a <div class="happy notice callback"> HTML tag. In this URL, the PIN is the oauth_verifier of the request string. It looks like an OAuth token.
Don't hesitate to have a look at the HTML code of the web pages of the 2nd and the 4th step of my process. It is very useful to understand the process.
I spent some time today trying to figure out how to authenticate without user intervention using Twitter4j Library. I came up with the following:
ConfigurationBuilder conf = new ConfigurationBuilder();
conf.setOAuthConsumerKey(CONSUMER_KEY);
conf.setOAuthConsumerSecret(CONSUMER_KEY_SECRET);
conf.setOAuthAccessToken(TOKEN);
conf.setOAuthAccessTokenSecret(TOKEN_SECRET);
Twitter twitter = new TwitterFactory(conf.build()).getInstance();
By using ConfigurationBuilder, I'm now able to authenticate automatically. Of course you need to set values for CONSUMER AND TOKEN keys accordingly. Here's how I verified it:
User user = twitter.verifyCredentials();
System.out.println("Successfully verified credentials of " + user.getScreenName());
Hope this helps!