I am trying to develop an internal app for self use (not to reseller or as a 3rd party developer) using Amazon MWS (not SP-API). I've read (too many) docs about not needing any further credentials for internal app nor not requiring the use of the new SP-API.
My problem is that when I use the scratchpad (https://mws.amazonservices.com/scratchpad/) to test, I get the AccessDenied error message: Access to Orders.ListOrders is denied
I am only using the following elements for my auth:
Seller Id
Access Key Id (from my Seller Central Account Info)
Secret Key (from my Seller Central Account Info)
I am successful when using GetServiceStatus but I am assuming this API does not require auth. Does anyone have a high-level guide on how to go about creating API calls to Amazon MWS for an internal app?
Related
I'm trying to use React and Azure B2C to sign-up a local account (using personal emails).
I'm able to sign-up and login using userflows, however, I cannot get active account information from MsGraph API.
GET https://graph.microsoft.com/v1.0/me 401 (Unauthorized)
Yes ,azure AD b2c supports authentication for personal accounts,
1.
Microsoft Graph supports optional query parameters that you can use to
specify and control the amount of data returned in a response. The
support for the exact query parameters varies from one API
operation to another, and depending on the API, can differ between the
v1.0 and beta endpoints.
Use query parameters to customize responses - Microsoft Graph | Microsoft Docs
Try with GET https://graph.microsoft.com/beta/me/
You can use use $select to control the properties returned,
Ex: /me?$select=displayName,jobTitle
2.
Do make sure to give required claims marked in application claims.
If you want to acquire a token for all the static scopes of a v1.0 application, append ".default" to the app ID URI of the API: app ID/.default
Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the /me endpoint.
Article says
Users cannot obtain tokens for Microsoft APIs (e.g. MS Graph API)
using delegated permissions. Applications can obtain tokens for
Microsoft APIs using application permissions (user management
scenarios).
Reference:
microsoft-graph-operations#user-flow-authentication-methods-beta
In our project we are trying to integrate MS Teams with Web application using MS Graph API.use case is OnlineMeeting for Virtual Events.the attendees may or may not have microsoft account.
Created Azure Ad Account and created new tenant and created new user(given Global Administrator role) and registered new Application and given required API permission users.readWrite.all and onlineMreeting.readWrite.all to Application and Delegated Users.
Initially i was using UserCredientials flow(no manual authentication since its not in our usecase user should be authenticated automatically through java) to get accessToken.since its not recommended to use username and credientials(ROPC flow),so now trying to get accessToken only using clientId and clientSecret using adal4j and i am able to get accesstoken but not able to use token for endpoints with /me/onlineMeeting.since token doesnt contain required permission and scope.
so i had tried to reach endpoint with token got from clientid and secret using /users/{id}/onlineMeeting but it gives error like Application does not have permission to Create online meeting on behalf of this user
referred https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy
its mentioned to change access-policy.
is there any way to create online meeting on behalf of user without changing access policy?
to create onlinemeeting on behalf of user do we need skype business account?
onlinemeeting can created by two endpoint /onlineMeeting & /events
so does /event in calender api require any additional previlages like office365 license to create online meeting?
to implement these usecase whats the microsoft account Type,azure ad account
and what are all the license and azure subscription need?
to create onlinemeeting only with dialin do we need any special license
is there any way to create online meeting on behalf of user without
changing access policy? to create onlinemeeting on behalf of user do
we need skype business account?
No. We have to set the access policy to use Application token to create online meeting on behalf of a user. To create an online meeting with Microsoft Graph, we don't need skype business account. But if you want to create online meeting through UI / web client, you have to need Teams license. (When I use a new account without being assigned any O365 license, it shows some license error but it's then bypassed. So I think it's a bug. I think we should need skype business account / Teams license to create the online meeting)
so does /event in calendar api require any additional previlages like
office365 license to create online meeting?
Yes. We need O365 Exchange Online license to create /event.
to implement these usecase whats the microsoft account Type,azure ad
account and what are all the license and azure subscription need?
In summary, you need at least AAD work or school account and O365 Exchange Online license.
to create onlinemeeting only with dialin do we need any special
license
Microsoft graph doesn't support creating onlinemeeting only with dialin. See audioConferencing. It's read-only.
I need to get an access token for the audience https://api.spaces.skype.com. I need to use the Azure Active Directory v1 endpoint. I dont see any corresponding API permission
In the Manifest there is the requiredResourceAccess section where resourceAppIds and scopes can be configured. How can I find the correct resource app id for https://api.spaces.skype.com?
That API is an internal one used by the Teams client only. We do not allow non-Microsoft applications to access it.
The only supported API for Microsoft Teams is Microsoft Graph and our Bots API.
I am building a custom mobile application that has a client, custom backend server (I'm building) and interacts with numerous other api's. One of these api's is Microsoft bookings.
The problem I'm facing is I need to be authenticated via server to server, with a shared client secret. I'm aware of the numerous docs from MS but have yet to find a solution. I'm wondering if Server to server is even possible with Bookings.
I am able to get an access_token server to server with these permissions. (I have granted 'all permissions' to this app in Azure AD already).
"roles": [
"Calls.JoinGroupCall.All",
"OnlineMeetings.Read.All",
"OnlineMeetings.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Calendars.Read",
"People.Read.All",
"Application.ReadWrite.All",
"Calls.InitiateGroupCall.All",
"Directory.ReadWrite.All",
"Calls.JoinGroupCallAsGuest.All",
"Sites.Read.All",
"Sites.ReadWrite.All",
"Sites.Manage.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"Calendars.ReadWrite",
"Mail.Send",
"ProgramControl.Read.All",
"ProgramControl.ReadWrite.All",
"Calls.Initiate.All"
],
Those are the permissions from the decoded token. When I go to make calls to the Bookings api I receive 401.
I can however use this token to access different graph endpoints no problem.
I will note, that I am able to make successful calls to the bookings api through Graph Explorer with my account, not related to this 'Application in Azure AD'.
Does this resource in Azure AD need a bookings License?
Is this even possible S2S?
Are there any other ways to bypass this without user credentials?
Thanks.
So I spent over a week trying to solve this problem due to the MS doc nightmare. I'm only posting to help others!
Bookings doesn't support service to service yet. So if you wan't to implement this without a user physically signing in, IE. If you have a dedicated booking admin account credentials you have to hard code the clients credentials.
I found my answer here https://stackoverflow.com/a/49814924/9105626
Microsoft Bookings API doesn't seem to support "Application Permissions" so far.
Only permissions available are "Delegated Permissions", which means your token has to be acquired with the context of a signed-in user.
Here are two Microsoft documentation sources that I came across:
Microsoft Graph Permissions Reference - Please look at the "Bookings Permissions" section.
Microsoft Bookings Samples
I know you mention Server to Server authentication using a client secret. AFAIK, that case will NOT work directly, because clientId and clientSecret only provide an application's identity (which can't be assigned any permissions because there are no relevant application permissions available for this API).
Just in case you can have some User context involved, here is code from bookings samples link above, to acquire the token in a Native application using ADAL
var authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/common/");
var authenticationResult = await authenticationContext.AcquireTokenAsync(
"https://graph.microsoft.com/",
clientApplication_ClientId,
clientApplication_RedirectUri,
new PlatformParameters(PromptBehavior.RefreshSession));
// The results of this call are sent as the Authorization header of each HTTPS request to Graph.
var authorizationHeader = authenticationResult.CreateAuthorizationHeader();
Suggestions on ways to make this scenario work
On Behalf Of Flow
Your mobile application client could prompt a user for credentials to act on Behalf of the user and call your backend web API, which in turn calls the downstream API like Bookings API. This is called Service to Service Calls on behalf of the User
Here is a code sample which shows exactly this with a native application (WPF) and an SPA. In your case, just replace the WPF application with your mobile client application for understanding purposes and rest of the scenario becomes very similar.
Calling a downstream web API from a web API using Azure AD
ROPC Grant (Not Recommended)
Resource Owner Password Credentials grant can help as your application will have end user password available to it, but it has multiple issues and any security guidance will discourage you from using it.
ROPC opens up security risks, doesn't follow best practices and has functionality issues as well. ROPC doesn't work with MFA enabled users as well as federated authentication users.
For all practical purposes, you should avoid ROPC as long as possible. You can find the same recommendation in ADAL documentation itself and multiple other documentations from Microsoft or even generally about OAuth 2.0.
I have domain with aws example.com, currently I have record set so that when user goes to example.com, it serves static website from S3 (done with angular) and backend api (Lambda and API gate way). And I don't have sign in process, as the purpose of site is public facing.
I can use apikey on method to authorize the http call, but I still have to save it in js code somewhere, which I don;t want to do. And I am not sure how IAM role can help me in this scenario.
Is there any way I can let api allow calls from specific domain ?
You can use IAM Role defined for Unauthenticated user in AWS Cognito Federated Identities. The AWS document will guide through the process assigning IAM Role to the Unauthenticated user.
Then you can enable "AWS_IAM" Authorizer option in the API Gateway for any specific API's resources.
This question has similar approach in implementing the IAM Role - based to access API, in which the implementation is using External Federated Identities (Google) instead of unauthenticated user identities.
There are a few ways to skin this cat.
The least painful way is likely to be using AWS Signature V4-- unfortunately, there's no great answer for a site that doesn't have an auth system built in already. Someday they'll let us park API Gateways inside of VPCs, but that day isn't today.