I've searched and read through the questions regarding XOAuth2 and Javamail but am very confused as to how to get the tokens, and etc. The application I have is a Linux service that retrieves emails and forwards them to other email addresses based upon the contents of the email. It's been working fine with plain authentication but now seems that MS is forcing to use OAuth2.
I've tried to follow the topics on this and always end up with A1 NO AUTHENTICATE failed but I haven't found any of the topics showing success.
It's obvious I'm missing something between my ears as to how to acquire and use the tokens, etc. A lot of the confusion is trying to relate the MS guide to the Javamail environment.
Does the application have to be Registered with MS? I see many reference to Azure, but my app is on Linux instance on AWS. Is the only way to get tokens via graph.microsoft.com? Seems that somehow the obtaining of the tokens needs to be embedded in my application but I haven't found how? By the way I'm using javamail 1.6.2.
Related
We're are about to build a new intranet system for our company, leaving SharePoint behind. The system will be built using Ruby on Rails. Since we're using Office365 for mail, calendar etc., we would like to authenticate our intranet users through Office365.
I'm aware of Microsoft Graph API, but I have a hard time figuring out of there is a possibility to authenticate users from a third-party application. Moreover, we would like to retrieve general information about the user, like profile picture and calendar information.
Is anybody knowledgeable about Microsoft Graph API and know if it's possible to achieve our goals using the API?
You're on the right track. You would authenticate with Azure AD, which is in the 365 ecosystem.
I wrote (and answered) a detailed guide here:
How to get the JWT (using OpenIdConnect) from HttpContext, and pass to Azure AD Graph API
Note that this is the OpenIdConnect flow. I think the Saml2 flow is somewhat different.
Don't take my advice on storing the authentication codes or try to acquire the token silently - it ended up causing issues in production that weren't seen in test. Rather, just use the user object id as your key attribute.
The microsoft documentation on the topic is a little cerebral and abstract, so it'll take a little head scratching, but have a look at the samples mentioned in the post I linked above, they'll get you started.
Yes, using Microsoft Graph is the right way to go about achieving the stated goals here.
There are quiet a few samples and tutorials provided on the Microsoft identity platform code samples page that will teach how to build an app that calls Microsoft Graph.
The Stack:
Client: AngularJS & Firebase
Server 1: Microsoft Exchange Server
Server 2: NodeJS
AngularJS app loosely communicates with NodeJS through async task-queues. Client does not directly interact with NodeJS instances.
The Problem:
Perform simple operations on a User's calendar, with a task queued on a client and executed on a NodeJS instance.
What I've Tried:
ews-javascript-api: Works well, except there isn't a streamlined authentication mechanism. That is, it doesn't support OAuth authentication. In my opinion, managing each User's Exchange credentials is not a suitable solution.
iCalendar Events Subscription: (Still evaluating this approach.)
I guess fundamentally, what I am trying to do is have a User subscribe to calendar events in my app. I don't mind writing an API for Exchange Web Services but, it seems like overkill.
I am going to keep working on this, but if anyone knows of a simpler solution, it would be greatly appreciated.
I am the author of the library ews-javascript-api.
have you taken a look at https://stackoverflow.com/a/43785262/5884960?
I have provided information on how to use OAuth in the answer to the question in link. caveat is that you have to on-board each Office 365 separately, you can not run a node daemon and connect to multiple Office 365 Organization (without complex environment setup with org on boarding steps). This is quirks of Office 365 OAuth requirements not limited to the library itself. c# version have same limitation.
I have provided another library for helper authentications for ntlm and cookies, for Office 365 you just need ews-javascript-api.
I'm working on a project with Google App Engine. I am using continuous integration via Travis, and wish to be able to deploy directly from it. Due to a bug that will not be resolved directly, I can't rely on Travis' built-in GAE deployment, so I basically have to use mvn appengine:update manually. This requires me navigate to a generated URL and manually paste to the terminal an authentication code, which I can't do in automated builds.
It was suggested to me, however, that I do some Unix magic instead. While I can easily pick out the URL I need to navigate to from grep, I still need to log in to Google with my credentials in order to actually get the authentication code (which I can then grep out and pipe to the deployment program).
Given that, how do I log in to Google with my credentials, using only curl or similar command-line utilities?
I've accomplished similar things in the past using Service Accounts. These are likely a good fit for your problem.
Service Accounts will allow you to authenticate and upload your app without manual intervention.
Overview
A Service Account will allow you to do "passwordless" authentication like you may already do with ssh, and git, etc. by setting up your keys. This will remove the requirement that you log in manually, or follow the road to madness by trying to do a "manual" login automatically.
There are basically two steps:
Create your service account and key (with the right permissions)
Use that credential instead of what you're doing now
Resources
I think it's better to give a list of resources than concrete instructions since it's basically impossible to express concisely (even though it's a simple process, there's bound to be a lot of little things that annoy), everyone's requirements will be slightly different, and Google is likely to change the process at some point.
Using the Google Cloud Platform Console for App Engine | Permissions
Using OAuth 2.0 for Server to Server Applications
Setting up OAuth 2.0 | Service Accounts
gcloud auth activate-service-account
Hopefully that's enough to get you headed in the right direction.
Note
You'll likely have to spend some time looking at your .appcfg_oauth2_tokens_java and sorting out a variety of other annoyances, but I believe that this approach is the best way to solve your problem.
It sounds like you have a pretty straight-forward setup and that a Service Account alone will get you there, but if you need to get a little weird, the App Engine Admin API is always there.
I try to make a SP hosted on Google app engine, with a third party IdP, and I'm facing multiple problems.
I'm using Spring SAML extension for java. I was able to run the stand alone (not in GAE) demo app, from the official guide http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/chapter-quick-start.html using as IdP idp.ssocircle.com.
Now my problem comes whey I tried to integrate this code in my GAE project. When running with GAE I can get to the phase where I'm redirected to do the login on ssocircle.com and from there when I should be redirected back to my page I'm getting this error: "Error 401 Authentication Failed: Error decoding incoming SAML message", and on local GAE server logs I can see this message
"[INFO] Dec 17, 2014 5:21:23 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry [INFO] INFO: I/O exception (java.net.SocketException) caught when processing request: Permission denied: Not allowed to issue a socket bind: permission denied."
I was wondering if this is a limitation from GAE regarding sockets: 1) Sockets are available only for paid apps (I don't have a paid app, but could consider this options) 2) You cannot create a listen socket; you can only create outbound sockets. 3) You cannot bind to specific IP addresses or ports. (for me this one sounds like it is my problem).
And whey I tried to deploy on GAE, the app remained in a start-up loop because of other errors regarding "nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")", that sounds like another GAE limitation to me.
At some point I was ready to gave up, because I was thinking that SAML Spring extension can't work with GAE, because of limitations present on GAE. But I see you have the same project running as a demo on GAE (or at least I think it is running on GAE because of the appspot part in domain name). https://saml-federation.appspot.com/saml/discovery?returnIDParam=idp&entityID=saml-federation.appspot.com
I would appreciate if you can give me some hints regarding my problems, and best would be if you could help me with the source code of this demo project (could not find it anywhere), and all configuration that is needed for GAE.
I've created a new repository https://github.com/vschafer/spring-security-saml-gae which includes instructions for deployment of Spring SAML applications on Google Application Engine. It also includes classes helping to avoid issues you're facing (sockets and threads).
In order to use it:
include the jar created from the repo in your project
use the provided org.springframework...StaticFilesystemMetadataProvider for loading of your metadata
in case you are using HTTP-Artifact binding replace bean org.springframework...ArtifactResolutionProfileImpl with org.springframework...google.ArtifactResolutionProfileGAE
Please comment if you spot some mistakes in the documentation or code.
I want to use Google Prediction from a Python Google App Engine Application. Google Prediction requires you to store your "prediction models" in Google Storage for Developers, in effect meaning that to use GP you must use GSD. Unfortunately, both GP and GSD seem to require OAuth 2.0 .
This Oauth stuff is really getting in the way though! All the examples I find seem to deal with the case of wanting for access a users data/credentials/identity/whatever using Oauth. I have no need for that. I simply want to access a resource (GP and GSD) from my server using http request. Repeat, I just want to use some of their services, I have no need at all to access any other users information!
I can see from my Google API console that I have created both a id and secret for my GAE applications domain. Is it not possible to just use these values to do OAuth authentication to other Google API's? Effectively saying "I am the application at domain xyz, here are my credentials, let me use your API"? It seems kind of ridiculous that Google is currently forcing people to use such a burdensome authentication system for things that they are trying to get people to try out?
I am hoping there is some magical awesome library that will take care of all these OAuth details for me. Short of that, a code example of how to do these things in Python App Engine would be useful. I just want to use the Google Prediction and Google Storage for Developers services from my python GAE app, but I am blocked by the burden of having to configure all of this OAuth stuff. Isn't there some easy way to do this?
Look at the Google API Python Client. You should just be able to put your tokens in and connect. There are some examples on the page that should give you enough information to connect in.
I'm the Product Manager at Google working on the Prediction API. The first thing I want to say is thank you for trying out the API and for reaching out to the world about your issues! We hear you! We are very aware of the difficulty of using the API in some cases and some of the pain OAuth2.0 can cause for the simple use cases. In particular I tried to do exactly what you were doing a few weeks ago and was myself rather frustrated! We're working on it!
OK, so, that's all nice and dandy, but do I have anything helpful for you? Hopefully I do! I managed to get my GAE application working with GP -- I shelved the GSD component for the moment as I ran out of time, so hopefully somebody else can lend you some sample code for that (it should involve using boto & OAuth to handle the tricky bits).
from apiclient.discovery import build
from oauth2client.client import OAuth2Credentials
# You can find an example oauth2client in the python prediction sample code
# Replace everything in <>'s
credentials = OAuth2Credentials(
"<access_token>", #probably empty string
"<client_id>",
"<client_secret>",
"<refresh_token>",
<Expiry>, # Probably None
"https://accounts.google.com/o/oauth2/token",
"<app_useragent>")
http = credentials.authorize(httplib2.Http())
service = build("prediction", "v1.3", http=http)
You should be able to get the client id an client secret from the API console. You can use any sample application or demo, e.g. the python sample code, to generate a refresh token.
Best of luck! Feel free to followup directly with me (zg#google.com) or post to our public discussion list (prediction-api-discuss#googlegroups.com) if you still have any trouble.