There are various ways to programmatically send e-mail through a Gmail account: service account, OAuth2, API key, and even username/password if the "less secure" setting is enabled.
However, all of these methods require providing some kind of password or token that would allow a user to call any Gmail endpoint on the account. I want to allow access to the endpoint only for sending an email, not for any other Gmail API functionality such as reading email, changing settings, or listing metadata.
The level of granulairty for an API key pictured above is not nearly enough, as it just restricts access to all Gmail APIs.
Is it possible to restrict access to specific endpoints?
You can limit which APIs your project can use, by appropriately selecting them within the "API Library" section. Additionally, depending on the type of account you use, you can apply more restrictions:
Service account
This type of access is meant to be used for server-side applications, in which you/your organisation are the owners of the code and credentials. There is, in fact, no option to limit the scopes that the application can use when authenticating with it.
oAuth2 Client
This type of access is created to be granted to users on demand, from client-facing applications. Using this one, you can limit the scopes it can use by going to Google Developers Console, selecting your project, and navigating to OAuth Consent Screen>Scopes for Google APIs. This will apply to any oAuth client that is declared within your project. In case you need different oAuth clients with different declared scopes, you can consider creating a new project. Note: the scopes restriction will only apply after your application has been verified
Related
What is delegated in Msgraph api. Does it mean we can't use it by creating app on Azure Active Directory.
https://learn.microsoft.com/en-us/graph/api/application-post-calls?view=graph-rest-1.0&tabs=http#permissions
I want to use online meeting and call apis without my customers to register teams or microsoft
Delegated permissions are used to call APIs on behalf of a signed-in user.
If an API only supports them, a user will have to sign in to your application so that you can call the API on their behalf.
Refresh tokens allow you to do this for a long time without requiring the user to interact with the app, but those can and do expire.
Another choice might be to use the ROPC flow, but that requires you to use a username and password to get tokens, and that user cannot have MFA enabled for example (one of many cases where ROPC does not work).
There are two primary mechanisms that an application can use to access the Graph. The one is an "Application" approach, where it needs to be given access rights by an administrator, and can then access certain services / endpoints. There's often an "app secret" that is used in conjunction with the application "Id". This is kind of similar in the past to how we would have created a specific 'service' account + password. ROPC is even more similar, and actually -does- require a username + password, but it's not generally recommended.
The other is "delegated", which means that the application can access certain resources that are specific to that user (like their own mailbox for example). In this case, the user themselves might be required to 'approve' the application's right to access the graph on his/her behalf.
Note that BOTH of these options involve the use of an Azure AD Application, but which permission option you can use depends on the specific operation in the Graph that you're interested in calling. As an example, let's say you wanted to access the list of members in a Teams team. This is explained here, where the "permissions" section indicates that either Application or Delegated permissions can be used to do this. In contrast, here is another operation that can ONLY be done with Delegated permissions, and not by a standalone application without a user granting access.
As shown by many samples I have two AAD application registrations, one for my javascript-based front end, and one for my JSON-only web APIs.
If I fully trust my client AAD application, why does AAD require me to create a second AAD application for my web APIs?
For example, assuming I add specific roles to my client AAD application, if client signs in with AAD and gets an id token and access token containing my roles, it only needs to send the access token to my APIs. The API only needs to crack the JWT, validate the audience, issuer, tenant, roles permissions, and signature. In this world, no client secret is needed in the web APIs, a second AAD application registration not needed, and still no call to AAD from my APIs. Unfortunately, without two AAD applications, I cannot figure out a way to have AAD include roles into my access token.
If I didn't fully trust the issuer from mucking with claims, I can see why I would need two AAD applications and a client secret. But since I do trust my AAD application and the signature of the JWT, why the extra complexity? Or maybe there is a way to do this that I haven't found?
Thanks!
Responding to Marc here because just not enough characters in the comments field -- The sample you referenced is an excellent sample, specifically the JavaScript one calling the Web API. It is what I am doing right now in fact. However, the problem is that Web API in the sample is open to anybody who has authenticated on the tenant. I need to secure the Web API down to certain individuals in the tenant, and simply checking the client/app id is not sufficient as anybody who can create an AAD app can fake it.
So what I need to do is have roles added to the the access token so I know that my application authenticated the user, and that user has been granted the required roles. For example, here is a Microsoft sample. And even here a Microsoft video walking through the process.
If I don't have two AAD applications w/client secret, the roles claims is never provided in the access token. It is always provided in the id token, but not the access token.
I feel like I am missing something obvious here. If AAD would just put the roles I requested into the JWT when I authenticated against it, and I validated its signature, audience, issuer, and roles, I wouldn't need any of this extra complexity?
Ah, I think I understand where you are going: you would like to control which users can access an API, no matter what client app they are using to access the API with. That's a function of the API - you cannot control that through AAD. In AAD you can control which users can access which applications (UI) using either user access restrictions (enterprise tab) or role-based access. However, access to an API is controlled in AAD at the calling application level via scopes. APIs are never accessed directly by users but only by other apps so controlling access permissions at user level would cause admin havoc. So, you can control what permissions a user has in the app they are using and you can control what permissions that application (client) has in other applications (APIs, resource servers) it is using.
In other words: role is about user access to UI, scope is about one apps' access to another.
App secrets provide added security for getting tokens - they have no bearing on what permissions are included in the token.
Can you provide a link showing that two apps are needed? That should only be the case if the API you want to call is not provided by the web app which served the JS to the browser. None of the 'official' samples require you to register two apps (Graph API, used in some of these samples is a separate API and it is already registered). A problem with tokens passed from the browser is that they were acquired by a public client, not using any secrets apart from user creds. Therefore, they are easier to steal and re-use. Your own back-end app may want to use a secret to get its own token (extension grant) to call yet another API using a token that does not reside in a public client.
What is the correct way to provide users with programmatic access to APIs?
I have an application composed of many services (all trusted services, within the same domain, not external applications), and identity service in the same domain.
I would like to allow a user to user a set of credentials to gain access to any of the APIs I provide.
Is it reasonable to think of a user as a client in this case, and use clientCredentials flow to get a token that will be passed to the target API? specifically, is it a good idea automatically assign a clientId and a clientSecret to every user in my system, and allow all users to use clientCredentials flow to request an access token? the access token would then contain all user's claims. If this is a reasonable approach, is there any way to remove the "client_" prefix from the added claims? or is that a bad idea?
This was originally asked here: https://github.com/IdentityServer/IdentityServer4/issues/1877
We have a bit of a dilemma that we are running into with a couple applications that are trying to read a given users email without user interaction to authorize. The key to this approach is that we want no user interaction, and want to load the client server application with the proper JSON credentials downloaded from the Google Developer Console.
I have this approach working for programs where we create a service account in the Developer Console, and then delegate domain wide authority to that account with the proper scope access. However what we are hoping is that we don't have to delegate domain wide authority, and just read the users email who created this developer console project. I have tried many different types of solutions for this, but always run into the same limitation that I have to grant domain wide access.
What I am wondering is if there is any way to gain access to a single users mailbox using a server to server type approach and not have to grant domain wide access?
I appreciate your help with this issue!
There is no supported authorization flow for what you want to do. You must either use a service account that has been delegated domain-wide authority, or you must use a 3LO flow that involves user consent.
It seems you're looking for OAuth for Server to Server Application. You will also be using a service account. But, granting of domain-wide authority for service accounts is an optional thing. You don't have to enable it if you don't want to.
To support server-to-server interactions, first create a service
account for your project in the Developers Console. If you want to
access user data for users in your Google Apps domain, then delegate
domain-wide access to the service account.
Then, your application prepares to make authorized API calls by using
the service account's credentials to request an access token from the
OAuth 2.0 auth server.
Finally, your application can use the access token to call Google
APIs.
I understand how the authorization process with Oauth works but is it somehow possible to authorize my access to my endpoints API without the user having to sign in? So what I'm trying to do is to restrict access to my API so that only certain websites, that I allow, have access to it and no others.
In Google APIs console I have created a 'client ID for web applications'.
In your described use case, the preferred solution is to use OAuth. In following the examples in the documentation, you'll be limiting the web sites (via the "JavaScript origins" value for the keys you obtained in the APIs Console).
Sites not listed in the origins will not be able to display the required authentication prompt (the client ID and origin are checked before Google will provide tokens). Developers will not be able to create their own client IDs with their preferred JavaScript origins, because your backend will be checking the client ID of the request is on a whitelist that is part of your code.