I am trying to send and receive messages to/from SFB (Skype for business) through UCWA web apis but facing access denied issue.
1) I created Azure AD application.
2) I am able to login successfully and fetching access token and refresh token.
3) But when i try to auto-discover with the above access token, it is giving 403 access denied error. Please see the request in the code below.
Is it because of SFB deprecation or something else? Please help.
let options = {
method: 'GET',
url: 'https://webdirin1.online.lync.com/Autodiscover/Autodiscoverservice.svc/root/oauth/user',
headers:
{
accept: 'application/json',
'x-requested-with': 'XMLHttpRequest',
'access-control-allow-origin':'*',
cors:true,
'Access-Control-Allow-Origin':'*',
'x-ms-diagnostic': `PNQIN100EDG08.infra.lync.com`,
'x-ms-origin': `MAAIN100EDG03.infra.lync.com`,
authorization: `Bearer ${users[0].access_token}`
}
};
In general, 403 means you have provided the wrong access token.
Please refer to Requesting an access token using implicit grant flow.
Note: It seems that the request in the official example is incomplete, you can refer to mine:
https://login.microsoftonline.com/{Tenant ID}/oauth2/authorize?response_type=id_token+token&client_id={Client ID}&redirect_uri={Reply URL}&state=8f0f4eff-360f-4c50-acf0-99cf8174a58b&resource=https://webdirXX.online.lync.com&nonce=12434152345
Modify the above string based on your need and put it directly into the browser for access and log in with your admin account. The access token will be included in the string returned in the address bar.
At last, you could use the access token to call
Get https://webdirXX.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user.
Are there any CORS issues?
check in the response header if you see something like : "Service does not allow a cross domain request from this origin."
Refer: https://ucwa.skype.com/documentation/itadmin-configuration
Related
I have a React webapp that uses an EventSource. I'd like to add authentication/authorization to the backend API endpoint that it hits. How do I attach the following header to the EventSource?
headers: {
'Authorization': `Bearer ${authSession.access_token}`
},
I found this library:
https://www.npmjs.com/package/react-native-sse
It simplifies attaching jwt token to the event source.
Right now I'm working on refreshing the token using event source.
I'll update the answer if I can find something useful.
I need to auto login on my React App. To do this, I use NTLM authentication. Both , API (php coded) and React App are on an IIS server.
I use axios for API calls. When I do GET request, all is right, crendentials are successfully sent (but I must disable anonymous login on IIS).
When I use POST query, it fails with 401 error.
I tried several headers but nothing works. That's why I need help.
Image : Nothing weird in headers
When I do GET, I see cookie sent, not with my post query
axios.post(apiUrl+'deleteUserReportFolder.php', {
reportFolder: e.target.value,
id: user.login
},{
withCredentials: true,
credentials: 'include',
headers: {
'Content-Type': "application/json",
'Authorization': 'NTLM',
'WWW-Authenticate': 'NTLM'
}
})
The API Site is sending these HTTP Response Headers:
Image : IIS API
Thanks for your help. I've seen a lot of posts but nothing worked.
Edit :
I tried by setting my server (API PHP) with anonymous and Windows login, anonymous login cause no logon user, so I must set Windows enabled only.
I tried by removing all headers except "withCredentials" in axios query. I still have 401 error on CORS Pre Flight.
var_dump($_POST);
Check this code,May be it's helpful!
I am trying to connect my React app to the Jira Cloud API and can't seem to get past a 403 error.
My code currently does a Auth dance using OAuth 2.0 and returns the token and cloudid. I can use this to GET issues, however POST request (like creating an issue) return with 403. I have found here that this error is returned if the user does not have the necessary permission to access the resource or run the method.
I have ensured the user has the correct scope ([write: jira-work, read: jira-work]) and verified this is reflected in the user account (in their account > connect apps tab).
My app is not linked (via ApplicationLink) or installed (via Apps, Manage Apps), is this necessary to perform POST requests?
Here is a sample of my code:
fetch(`https://api.atlassian.com/ex/jira/${jira.cloudid}/rest/api/2/issue/`, {
method: "POST",
headers: {
"Content-Type": 'application/json',
"Authorization": `Bearer ${jira.token}`
},
body: JSON.stringify(data)
})
.then(...)
Neither api version 2 or 3 are working for this POST request. I have explored using Basic Auth however this fails due to CORS errors.
I have verified that the POST request does work in POSTMAN (using the cloudid and token).
---------------------------------------------------------------------------------------------------------------------------
UPDATE
After talking to Atlassian Staff, there is an issue within their API security:
"By trying the same thing you mentioned I think I found what the problem is. Your request likely fails with a ‘XSRF check failed’ in the browser.
I’ve already talked to one of our security engineers and we quickly dived into the implementation code to confirm why this not working and what would need to be changed on our side. We’ve also already opened a engineering ticket to get this addressed. This will likely take a few weeks to get addressed, but I’ll keep you posted if I hear any updates!"
The XSRF check failed was the main error for my 403 response. I'll post any updates I receive and answer the question when a resolution is found.
This has apparently been resolved. Follow the discussion here: https://community.developer.atlassian.com/t/jira-cloud-rest-api-oauth-2-0-error-403-on-post-requests/25621/4
We're trying to integrate Yammer on our website, getting and putting posts is done, but we have an issue with getting images.
When the user is logged into Yammer, we can show the images with no problem.
When the user is not logged in to Yammer, the image request will give a 401 Unauthorized.
We tried getting the image blobs dynamically by adding an Authorization header, but CORS will block us this way.
Could anyone give some pointers on how to resolve this issue? Thanks in advance!
var req = {
method: 'GET',
url: 'https://www.yammer.com/api/v1/uploaded_files/123456/preview/IMG-20160413-AA0001.jpg',
headers: {
'Authorization': 'Bearer ' + yammertoken
},
responseType: 'blob'
}
return $http(req)
In the end we created a proxy in our PHP backend which was able to get the images serverside. This circumnavigated the CORS issue.
I would highly suggest not trying to subvert authentication for data. Data such as files live behind authentication in order to ensure that only the users who are allowed to see such data can do so.
Have you explored using https://developer.yammer.com/docs/authentication ?
I have two sets of servers:
apache serving up html/js/css pages in the angular flavor
SalesForce backend rest apis serving up Json
Salesforce has OAuth authentication, but it is not letting the javscript even perform an OPTIONS call in order to figure out if it can do the POST call it really wants to:
Is there any way to get around this without a proxy or jsonp?
is the Salesforce APEX Rest API configured wrong? the source domain is already whitelisted...
Update:
so some angular code to make the call:
var config = {
method: 'POST',
url: SalesforceRestApi,
headers: {
Authorization: "OAuth "+authToken,
"Content-Type": "application/pdf"
},
data : caseRequest,
};
var http = angular.element(document.body).injector().get('$http');
http(config).then(function(response){ console.log(response); });
this code here returns the good old Chrome error:
XMLHttpRequest cannot load https://xxx.salesforce.com/services/apexrest/xxx/v1/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://sample.com' is therefore not allowed access. The response had HTTP status code 401.