We're are about to build a new intranet system for our company, leaving SharePoint behind. The system will be built using Ruby on Rails. Since we're using Office365 for mail, calendar etc., we would like to authenticate our intranet users through Office365.
I'm aware of Microsoft Graph API, but I have a hard time figuring out of there is a possibility to authenticate users from a third-party application. Moreover, we would like to retrieve general information about the user, like profile picture and calendar information.
Is anybody knowledgeable about Microsoft Graph API and know if it's possible to achieve our goals using the API?
You're on the right track. You would authenticate with Azure AD, which is in the 365 ecosystem.
I wrote (and answered) a detailed guide here:
How to get the JWT (using OpenIdConnect) from HttpContext, and pass to Azure AD Graph API
Note that this is the OpenIdConnect flow. I think the Saml2 flow is somewhat different.
Don't take my advice on storing the authentication codes or try to acquire the token silently - it ended up causing issues in production that weren't seen in test. Rather, just use the user object id as your key attribute.
The microsoft documentation on the topic is a little cerebral and abstract, so it'll take a little head scratching, but have a look at the samples mentioned in the post I linked above, they'll get you started.
Yes, using Microsoft Graph is the right way to go about achieving the stated goals here.
There are quiet a few samples and tutorials provided on the Microsoft identity platform code samples page that will teach how to build an app that calls Microsoft Graph.
Related
Is there a "best" way of achieving this?
Basically I want to leverage my company's Azure AD tenant to build a fully featured internal application. Using Microsoft Graph, I can retrieve users via their identifier guids, and use the identifiers as foreign keys for various tables in our on premises database, instead of having a dedicated User table, which would need to be populated and synced up with the AD. There are many other prospective uses for Graph, but leveraging users is the priority right now.
A large chunk of my application is built already. I am able to lock down my client app using the package react-aad-msal, requiring users to authenticate through single-sign-on. I have also successfully been able to pass that token back to the protected .NET Core API, accessing various endpoints as the authenticated user.
From here, I am not sure how I can develop the calls to Microsoft Graph. At which point should I make the connection? Should the client application connect to both the on-prem API, as well as Graph? Or should it only connect to the on-prem, which would then connect to Graph? Curious to know the pros and cons of either method.
I've also heard tell that Microsoft is working on their own package: #azure/msal-react, and that react-aad-msal should no longer be used (as it only supports msal 1.0 and not 2.0. I have no idea which version is better for my needs). While msal-react is still in development, apparently I should be using #azure/msal-browser. But I cannot find a good example of a react app using msal-browser to authenticate.
Here is a Sample on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
You can also use .net core instead. Please go through the sample here which can help.
I have an API that a user can query for data after that user authenticates against an OAuth2 provider that I maintain (i.e. not Google). Is it possible to expose data through this API to Google's Data Studio using a Community Connector? If yes, is it possible to use the setup outlined here https://github.com/gsuitedevs/apps-script-oauth2#setup against a non-Google OAuth2 provider? Thank you for your help!
I have not found any requisite to expose data through an API. So I expect that it is possible, but take into account the specific configuration requested when implementing it.
The setup outlined there is not official so you will need to test it unless someone has done it already or has enough time for it. The post is really detailed and has work behind, so I would give it a chance!
I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH
The Stack:
Client: AngularJS & Firebase
Server 1: Microsoft Exchange Server
Server 2: NodeJS
AngularJS app loosely communicates with NodeJS through async task-queues. Client does not directly interact with NodeJS instances.
The Problem:
Perform simple operations on a User's calendar, with a task queued on a client and executed on a NodeJS instance.
What I've Tried:
ews-javascript-api: Works well, except there isn't a streamlined authentication mechanism. That is, it doesn't support OAuth authentication. In my opinion, managing each User's Exchange credentials is not a suitable solution.
iCalendar Events Subscription: (Still evaluating this approach.)
I guess fundamentally, what I am trying to do is have a User subscribe to calendar events in my app. I don't mind writing an API for Exchange Web Services but, it seems like overkill.
I am going to keep working on this, but if anyone knows of a simpler solution, it would be greatly appreciated.
I am the author of the library ews-javascript-api.
have you taken a look at https://stackoverflow.com/a/43785262/5884960?
I have provided information on how to use OAuth in the answer to the question in link. caveat is that you have to on-board each Office 365 separately, you can not run a node daemon and connect to multiple Office 365 Organization (without complex environment setup with org on boarding steps). This is quirks of Office 365 OAuth requirements not limited to the library itself. c# version have same limitation.
I have provided another library for helper authentications for ntlm and cookies, for Office 365 you just need ews-javascript-api.
Summary of the question:
I would like to create a CakePHP based registration and login system offering multiple different gateways such as OpenID, Facebook, Twitter, and so forth. I would like the system to allow a user to associate multiple forms of identification with their account.
After much searching, I am turning up a blank on anything that would allow more than one method of authorization. Cake's authorization system does complicate the matter, so using a tutorial for general PHP is not really effective. Does anyone have a solution, or somewhere I can start from?
Example:
To give a simple example, looking at the StackExchange network: you can login/register using a stack exchange account, Google, Yahoo, Facebook, or OpenID. Once logged in, you can add more of these methods to your account so that you are recognized a multitude of ways. I realize StackExchange probably isn't written in Cake, but it serves as an example.
Thank you!
Original Question
Here's the scoop: I'd like to integrate a simple registration/login system for each of the main services that offer oauth/openid in CakePHP.
Basically, I'd like my users to be able to register the old fashion way (including validation e-mail) or using an existing service to verify themselves. I'd like them to be able to login afterwards using that service, or with a username and password.
Now, I have found extremely in depth plugins for full facebook integration and the like, but the bottom line is that I want to just use this for registration and login at this point, and I would like the experience to be the same regardless of which service they choose (plus, I'd like to understand how it works... because this is all about learning CakePHP after all).
I'd also like them to be able to link other services once the account is created if they so desire. In a nut shell, they're account should be able to be linked to any number of login services, or none at all.
How on earth do I go about this?
Thank you,
James
Looks like there is now a third-party library available using Opauth as detailed on this bakery thread
Here is the CakePHP version's github page:
https://github.com/uzyn/cakephp-opauth
Great question - our CakePHP development studio may be looking at this in the coming months also. I suspect you'll have more luck researching this as a general PHP question and then how you can port that solution into Cake. Definitely post back with anything you discover.
You might find this thread a helpful starting point, although it was posted back in 2010:
Best way to implement Single-Sign-On with all major providers?