I've recently faced a problem.
My frontend use Oauth2 to authenticate my user on Azure (Organization). This giives me multiple information containing idToken and accessToken.
My Backend uses AADResourceServerWebSecurityConfigurerAdapter to authenticate the user thanks to the idToken put in the Authorization Bearer header from the frontend.
Unitil here everything works well. I can get the connected user with this:
public static String getConnectedUserEmail() {
return (String) ((AADOAuth2AuthenticatedPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getAttributes().get("preferred_username");
}
I use my backend app credentials to contact the graph api on behalf of the API itself.
Though, following Azure Ad documentation, I cannot query group/calendar on behalf of the API, I have to do it on behalf of the user.
To respect SOLID principles, I want to make the request from the backend, but on behalf of the user.
I cannot find any information about that.
So here is my final question: How can I make a graph API request in my backend on the behalf of the user?
Knowing that trying to use the tokenValue (idToken) of the user or the accessToken value returns invalid credentials from Microsoft.
You requested GET /groups/{id}/calendar to get group calendar as you said.
You can call Graph API with the access token using on-behalf-of flow, see here.
There is a sample using the On-Behalf-Of flow: https://github.com/Azure-Samples/ms-identity-java-webapi
Note: Make sure the following delegated permission is added.
Related
I've been experimenting with Azure Active Directory access for Java using two sample projects:
1) https://github.com/AzureAD/azure-activedirectory-library-for-java which builds a stand-alone war using OAuth tokens for security, and
2) https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-backend-sample for spring-boot embeded containers
I've come across quite a difference in the way the APIs can be used, that I can't understand.
In both cases, I get an OAuth token for AD by logging in with my Azure credentials.
In the Http response, I get an authorizationCode of the form:
AQABAAIAAAD.....
Then using the following URL as an authContext:
https://login.microsoftonline.com/{tenantId}
I get a AuthenticationResult by making the following call:
Future<AuthenticationResult> future = authContext.acquireTokenByAuthorizationCode(authorizationCode, redirectUri, credential, null);
in the Adal4j project (1), the AuthenticationResult's AccessToken is of the form:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6I...
Which I can use as a Bearer token in an HTTP call to retrieve the user's profile picture via https://graph.windows.net/myorganization/me/thumbnailPhoto?api-version=1.6
whereas in the SpringBoot AD example, the AccessToken returned from exactly the same call is of the form:
AQABAAAAAADXzZ3ifr-GRbDT....
and If I use that in exactly the same way to try to retrieve the user's profile pic, I get a 401 Unauthorized response
What's the reason for the difference in the form and use of these AccessTokens?
What's the reason for the difference in the form and use of these AccessTokens?
I assume that you got the access token is authorization_code not the bearer token.
As Rohit Saigal mentioned that you could use JWT.IO or JWT.MS to check that.
If we want to get the access token for Azure AD graph we could use the follow code to do that.
public String index(Model model, OAuth2AuthenticationToken authentication) {
...
DefaultOidcUser user = (DefaultOidcUser)authentication.getPrincipal();
String accessToken = user.getIdToken().getTokenValue();
...
}
Then we could use the access token to access the Azure AD graph api if you have assiged corrosponding permission.
We are trying to implement Oauth2 on our app, in our App we are login using Sign In with Google, and this returns a lot of stuff like : UID, ACCESS_TOKEN, REFRESH_TOKEN, etc.. we are thinking to send from APP to server-side the UID and store it to DB linked with user like if it was its password.
From server side we want to on each call for instance : get_products, we are thinking to use an access_token but we don't know if it's the UID from user itself or we have to create another access_token with its refres_token with expiration time. So we have one UID from user and another access_token and refresh_token from oauth.
I'm not sure about the value you refer by UID. May be it's something that I haven't come across before.
But if it stands for USER IDENTIFIER, then you should not use it to identify the end user and maintain a session. UID could be a public identifier so anyone who knows will be able to communicate to your server. Also, think about user login through multiple devices. Your server won't be able to identify the correct session.
User access_token to initiate a session. In your server, use user-information endpoint to obtain validity details and end user information. Alternatively you may choose OpenID Connect.
On android client, I create Credentials, then choose account using AccountPicker and set the account name. On GAE, I have User parameter in every endpoint method. (I described it here)
Android Client ID, Web client ID and audiences are configured correctly.
On endpoint, the user is not null and has correct email set. But when I call user.getUserId() I get null. Is this user authenticated or not?... It really makes me nervous not to know that...
What you describe is odd, and I don't know why you get null when you call getUserId(), but never-the-less I would say, Yes, you are authenticated.
If you want to be sure, then you could try using that authentication from a web client - I read that once you have authenticated an Android user you are automatically given minimal account authentication for web too. So create a minimal servlet that includes the following code:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
Load the page while signed in with the same account you authenticated from Android and see whether it acts like it already knows you, or whether it prompts the user as it would for a different, un-authenticated user.
This is a bug on google's side.
There seems to be a clunky workaround: save User to datastore and read it back.
Hi am regarding facebook php server side login..
http://developers.facebook.com/docs/authentication/server-side/
in that
$code = $_REQUEST["code"];
what is the meaning of this..., what is this code ?
Once the user has authorized your app, you should make a server side
request to exchange the code returned above for a user access token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
Note the "CODE_GENERATED_BY_FACEBOOK" comment.
$_REQUEST['code'] is most likely a token that guards against CSRF. Facebook will create this and give it to your application via $_REQUEST['code'] (could be a POST, GET or whatever).
If you're not sure what $_REQUEST is, you should read the PHP manual entry for it.
$code is like authorization token that you exchange for an access token that you will use later to make calls to facebook api. The part you're looking at handles redirect from facebook after user logged in to facebook and authorized your application to access their information. at this point facebook redirects user back to your site and passes code as a get parameter and that line grabs that code from $_REQUEST, which in this context is the same as $_GET['code']
My application uses 3-legged authentication (OAuth).
I have the token (user was redirected to google login page to log in)
How can I get the e-mail address he used to authenticate?
you should look up user data using the access token. in facebook, the access token starts with user serial, so you can identify user from token directly. (ex. 123456-someStrangeStringBlahBlah...)
so if exposure of user serial is not problem, make token like facebook.
I think you want to use OpenID attribute exchange. (not OAuth, but Google has a bridge between the two).
See Google's page on their federated login API.
If you are using OAuth1.0 you can extract user email from the contactService by making a request to get for example contact group id. The returned response contains the user email encoded:
"http://www.google.com/m8/feeds/groups/user_email_here%40gmail.com/base/5f062e1e08cb3123"