Whenever I connect to Exchange online, it caches my token. So I cannot use another credential for connecting EXO. So could you please advise how to clear this cached token from powershell?
You should be able to select the desired account to be used to connect to EXO regardless of the signed-in status displayed on one or more of them. If you want to remove any of them, you can use the 3 dots.
Related
I am creating an electron application that connects to an Database and do POST and GET requests to retrieve and insert data into it, the problem is that in the code i have defined my database uri ( im using mongodb)
const uri = "mongodb+srv://<myusesrname>:<mypassword>#cluster0.wqbiu.mongodb.net/query?retryWrites=true&w=majority"
like in the example above, but if i pack my electron app the connection to the database as well as the credentials its visible if someone unpacks the app.asar file and look in the server.js file how i can solve this problem? i dont want any security breaches neither for me or the people that will be using my application, thanks in advance for any answer :)
An application that requires a secure connection to something cannot afford to have any username's or password's hardcoded into its code.
Instead, a procedure of authentication and authorisation is utilised.
Authentication is used to verify the user. IE: They are who they say they are, often achieved via the use of some type of login form.
Authorisation is used to verify the logged-in user is allowed to access the requested resource. EG: Is this user allowed to retrieve a list of all users email addresses from the database.
As a rough guide, a user will login with their username and password. You could use OpenID as well here if you wanted. Once the user is 'logged-in' you could set a cookie or session and save the session id in the DB against the user. Of course, all of this is done over HTTPS.
There are various ways to control the validity of the session such as but not limited to refreshing the expiration date / time every time the user hits the server, auto timeout if the user has not interacted with the server for more than X minutes, etc.
In your app, the user could try and interact with the database at any time, but if the user is not logged in, the server could return the appropriate response and prompt the user to login. Some form of API here is really the way to go.
If the user is logged in then then next step is to authorise the users request, ensuring they are allowed to perform what they are asking before sending a response back. If they are not authorised to access the resource (EG: Edit another user’s post) then an appropriate response is returned indicating so.
As you can see, securing your app will take some work but the result of not doing so could be devastating to you and your users.
"Issue description copied..."
I'm building a partner connector, which relies on a user name and password to connect to database (very similar to the existing Postgres / MySQL connectors provided by Google). In order to verify the credentials, I also need the database host information to be present in addition to username and password and this is the base of my problem.
The Google build connectors conveniently are allowed to collect user credentials and the database related information at the same time. Unfortunately, that doesn't seem to be the case for partner connectors as stated in the requirements
Point 5 "Use appropriate authentication method in getAuthType(). Do not request credentials via getConfig()."
The authentication itself happens before any other configuration details are known (there is just a dialog for username and password) and there doesn't seem to be a way to request additional information on the authentication screen itself. Once the credentials have been entered, the verification also happens immediately, before the configuration is being shown in the next step.
Once credentials are validated successfully, Datastudio then assumes the schema and data can be requested.This excludes the option of a dummy confirmation, because there doesn't seem to be a way to tell credentials are invalid and need to be changed after checking the other configuration details on the next screen.
That makes me unsure, how to determine valid credentials in my use case as I need to know the variable endpoint to authenticate against. I definitely want to avoid storing any user credentials myself in an external database, because this opens up another can of worms.
Has anyone successfully solved a similar issue before and can provide guidance here?
This is a known limitation of the authentication methods for Community Connectors.
A workaround would be to use authtype NONE and then request the credentials and database information in the config. This is, however, not a recommended approach.
One thing I do currently in an enterprise app is logon to a single admin email account that has delegation over other users and using delegation, we are able to manipulate email/calendar/contacts of users.
I'm looking to use the Microsoft Graph API and I have managed to use admin delegation and gain access to various resources, however last modified (on Onedrive/Sharepoint) is showing the app instead of an individual user.
I understand I can use Oauth and logon as individual users, capture a token and then do what I need under the context of that user, but, I need to do this server side where tasks run. Is there anyway to use admin approved delegation/impersonation from the app so that the users don't have to signin?
e.g. standard that works:
https://graph.microsoft.com/v1.0/sites/my-site.office.com/drive/root:/file.txt:/content
Looking to add a user tag, but this doesn't work:
https://graph.microsoft.com/v1.0/user/{id-of-user}/sites/my-site.office.com/drive/root:/file.txt:/content`
After searching for ages, the closest I have read seems to be in here however, I was wondering if there was a standard way of doing this - I haven't been able to get the JWT part of this working (and not sure if this is even the correct thing I am looking for).
I am trying to figure out the most efficient way of interacting with Azure AD via Graph API when creating new users.
The problem is, i am importing a set of users from upload file. But before creating them in AD, i first get all the users from AD and the check if the username is already taken, if not i create the user.
What i am trying to understand, is it better to get all the users from AD at once or is it better to validate each user individually and make multiple calls to AD during the validation process?
Is there any resource i can refer to to get more insight on the issue?
If the amount of users you want to check is not large , you'd better check them with individual request rather than retrieving the entire user list from AAD .
You can use Microsoft Graph API get user operation:
https://graph.microsoft.com/v1.0/users/YourUPN
If user is not exist , it returns a 404 (not found). You can refer to document for getting access tokens to call Microsoft Graph . Code samples here are also for your reference .
The document at http://www.salesforce.com/us/developer/docs/api_rest/index_Left.htm#CSHID=quickstart_code.htm|StartTopic=Content%2Fquickstart_code.htm|SkinName=webhelp says
Salesforce uses authentication to allow users to securely access data without having to reveal username and password credentials.
but as far as I can tell, the only command that I can run to get an access_token is using my colleague's username and password like so
curl -d "username=yyyyyyy" -d "password=xxxxxxx" -d "client_id=zzzzzz" -d "client_secret=dddddddddd" -v -d "grant_type=password" https://login.salesforce.com/services/oauth2/token
and I have to regenerate that as the access_token keeps expiring. If it didn't, my colleague could just generate the token once and hand it off to me and be done with it.
How can I do this so he never has to give me his username/password AND my app will keep on working and working until he deletes the application from salesforce (which would hopefully invalidate the client_id and client_secret).
(That is how most APIs work at least so users don't have to give developers their username and password nor do we need to store username and password on production machines.) So how do we get this to work? OR are the docs completely wrong and I do need the user's login/password to access data even though that one line says otherwise.
Okay, this was rather annoying. In OAuth2, the proper way for an app that wants access to all data regardless of user and whether that user is logged in is grant_type=client_credentials which does not exist on Salesforce.
The work around is as follows
In the GUI, edit your app and in the "API (Enable OAuth settings)", add "Access and manage your data(api) or Full Access AND Perform requests at any time on your behalf (Refresh token)"
In the GUI, set the callback url to https://localhost/oauth (this is a hack and we will use this to our advantage later)
Now, go to the url (fill in the params with your data) https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=YOURCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
Your browser will redirect you to https://localhost/oauth?code=YOURCODE NOTE: This code can only be used ONCE before you need to repeat step 3 and run again.
Run a POST request using the code in step 4 (the YOURCODE) to url https://login.salesforce.com/services/oauth2/token with the data in the body of grant_type=authorization_code&code=YOURCODE&client_id=YOURCLIENTID&client_secret=YOURSECRET&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
NOTE: There are some %3Ds in the YOURCODE....you do not need to modify them and convert them to = and you can just leave them as is.
This now results in returning a refresh token you can use and the current access token you can use.
Now, just save the refresh token to your database (I am hoping it pretty much lasts until someone deletes the application and time will tell I guess).
You can use a regular interactive OAuth login flow to get a refresh token which can be used to get new access tokens as needed. see https://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com for details.