I need to authenticate via azure ad in my application. I found this example code: https://github.com/Azure-Samples/active-directory-java-native-headless but my azure is configured with MFA and I get this error:
{"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: 643e8491-904a-4cea-b2a6-c720dda97f00\r\nCorrelation ID: 946f5469-c2b3-4de4-8c92-ab73aabc13d3\r\nTimestamp: 2018-08-27 12:59:25Z","error":"interaction_required"}
And now I'm not sure how to provide verification code to my application. Does anyone has any example code, wiki how to use it with MFA?
This sample should help you. It uses OpenID connect with a Java application.
As for your error, in AAD, if you do an initial login in one location, and then login from another location, there are conditions on the AD that flag this as "risky activity".
So for your account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA. If you do face this, check the conditional access locations in Azure and see if you can clear the flag. (Or set up the original account with named locations in place.)
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations
Related
I am trying to setup Okta MFA at both organization and app level for my AWS Application. I have successfully created the Sign On Policy for the AWS App and it is working correctly from Okta Console.
But now I want to add this feature in my Java Project, I tried searching for APIs which can be used to verify MFA at Application level, but I am not able to find any such API. Can you please provide me some details regarding application level mfa and how to do it from Java Project.
As of now I am able to Authenticate with MFA at account level. But when I try to use the same URL(https://?onetimetoken='SessionToken' ) for application level mfa, I am being redirected to the login page again.
Any idea how to implement App level MFA with Java?
These are the docs you are looking for! Basically, what you will want to do is use our Java SDK to enroll a user in a factor, then activate the factor, and finally, verify the factor when someone logs into your Java application.
I have an application which connects to Google Drive API.
Now I have to add another function which requires the Google Directory API.
I granted the necessary permissions and enabled the new API in my project.
However I'm still getting this error:
"message" : "Access Not Configured. Admin Directory API has not been
used in project 594418282793 before or it is disabled. Enable it by
visiting
https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=594418282793
then retry. If you enabled this API recently, wait a few minutes for
the action to propagate to our systems and retry."
The problem is that the URL in the message gives me an error; apparently the project ID is invalid.
This is the error:
There was an error while loading
/apis/dashboard?project=594418282793. You are missing at least one of
the following required permissions:
Project
resourcemanager.projects.get
Check that the project ID is valid and you have permissions to access
it.
I have no idea what is the cause of this mismatch, why the project ID provided in the error message doesn't seem to exist, and where else should I enable the second API in my application.
Any ideas would be much appreciated.
I think you have miss understood how the credentials.json works.
Access Not Configured.
Means that the credentials you have loaded for this client has not been setup for the api you are trying to connect to.
When you create a project on Google developer console this is to give google information about your application as a whole and what it is designed to do. You should enable both apis in the single project.
Once that is done create your Oauth credentials as you did before this credential file will then be able to connect to both apis .
googel developer console
Left hand menu click credentials then button on the top says create credentials
Once you have created it click the arrow to download you can download the file anytime
I'm trying to develop a simple java client that needs to access Skype for Business APIs in order to setup an online meeting (i.e. I need to retrieve a simple setup meeting URL by invoking an UCWA API).
I followed this Microsoft tutorial step-by-step:
https://learn.microsoft.com/en-us/skype-sdk/ucwa/developingucwaapplicationsforsfbonline
I have an Office 365 Business Premium license and I configured a custom domain (correctly registered and added at the zone DNS file);
I configured and registered my java client app on Azure (taking care to assign required delegated permission for Skype for Business capabilities);
I performed the Sign-in phase and Azure is able to recognize me;
I performed the Autodiscovery phase in order to retrieve the user's UCWA home pool;
I sent a GET request to the Azure oauth2 endpoint with response 401 error (and this is the expected behaviour by the authentication handshake);
Unfortunately, I failed when I request an access token using implicit grant flow: Azure responds with a Sign-In HTML page rather than the json object containing the oauth2 access token.
What's wrong on this GET request?
GET https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token
&client_id=my_application_client_id
&redirect_uri=configured_redirect_uri
&state=UUID_generated_code
&resource=UCWA_home_pool
HTTP/1.1
This GET URL looks like that one used for the Sign-In phase (step 3); I suspect that it isn't the right request URL.
I tryed to put my domain on the URL:
https://login.microsoftonline.com/my_domain_name/oauth2/authorize
and I tryed to put a common domain name (as reported on the documentation):
https://login.microsoftonline.com/common/oauth2/authorize
But Azure still reponds with a Sign-In page (and response code 200 OK).
Can someone help me please?
Please check the oauth2AllowImplicitFlow property in manifest of your application after downloading the latest manifest file. It should be set to true for this to wrok. If it's still false, only then I would expect the redirect to sign-in page as you're seeing.
More detailed steps here -
Configure your app for OAuth implicit grant flow
Can I use Azure AD Login parallel to database login to my web application using JAAS? I have created a web app in azure portal and have tried the login using the code present here: https://github.com/AzureAD/azure-activedirectory-library-for-java/blob/dev/src/samples/public-client-app-sample/src/main/java/PublicClient.java
But I'm facing issues like
The request body must contain the following parameter: 'client_secret
or client_assertion'.\r\nTrace ID:
fd0sxdac-72a3-4ac2-9aca-02aa64bb8ef5\r\nCorrelation ID:
96xsdb2c-864e-4325-b8cb-98fb6d6ab541\r\nTimestamp: 2017-02-10
13:30:02Z","error":"invalid_client"} at
com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:108)
I changed my app to native app and tried login again, but this time I ended up getting this error:
com.microsoft.aad.adal4j.AuthenticationException:
{"error_description":"AADSTS65001: The user or administrator has not
consented to use the application with ID
'7xxxyyy9-bcf6-4uu1-bzzz6-d279189ea7bf'. Send an interactive
authorization request for this user and resource.\r\nTrace ID:
cbd15f8a-983b-469f-9e20-bf0c8eee4e0c\r\nCorrelation ID:
213bb116-3617-4b89-8170-a123e072bfb5\r\nTimestamp: 2017-02-10
15:32:12Z","error":"invalid_grant"} at
com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:108)
I've added the required permissions to the app using Microsoft Graph (sign in and read user profile), but still doesn't work. I'd really appreciate if one of you could point me in the right direction.
Figured out the answer actually, I just had to grant the relevant permissions on the application and it started to work.
I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop.
The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local file and continues to work just fine.
The use case I have is that I have a number of departments in my company that want to leverage Google Docs spreadsheets for reporting. I then want to be able to run a program on a server (from a cron job) that can scrape this data and build an aggregated report for all departments.
I had intended on creating a "reporting user" that is granted read access to all of the documents in question, then run the report process using that identity.
I tried running it on my laptop, then copying the stored credentials to my server for it to use. But it seems those credentials are tied to the machine and so it forces a new verification flow via browser.
Any suggestions on how to work with the auth flow for Google Drive to allow me to do what I need?
TIA
Rather than needing to grant some user read-only access to all docs, I'd suggest using a service account which has been granted read-only access to all of your Google Apps domain user's docs:
https://developers.google.com/drive/delegation
use:
https://www.googleapis.com/auth/drive.readonly
as the OAuth scope that you grant the service account access to in the Control Panel. That way if the server is compromised you've limited access to read-only.
Create GoogleCredential with p12 file from API console (API Access > Create Another Client ID > Service Account etc):
GoogleCredential.Builder#setServiceAccountPrivateKeyFromP12File(File)
more info on Service Accounts
The other answers are better than this, but you can always get a set of credentials and save them in a file for reuse. Getting the credentials could be done with a web browser, but only once, and then your server could use them forever (as long as you request offline access and get a refresh token).