I'm inviting a user to be added as a Member to my Active Directory using the Microsoft Graph REST API.
curl -X POST \
https://graph.microsoft.com/v1.0/invitations \
-H 'authorization: Bearer ey...Jg' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"invitedUserEmailAddress": "userInvite#hotmail.com",
"inviteRedirectUrl": "https://example.com/afterInvite",
"sendInvitationMessage": false,
"invitedUserType":"Member"
}'
I do receive a correct response with the status field:
"status": "PendingAcceptance",
which of course is true as the user has just been invited. Is there a way to see if the user has redeemed the invitation yet?
Thanks a lot
I found it in the graph explorer:
https://graph.microsoft.com/v1.0/users?
$filter=(UserType eq 'Guest') and (mail eq 'xx#yyy.com')&
$select=externalUserState
Microsoft Graph doesn't support to check the status for the invited users. However we can use the the Azure AD reporting API to check the this status.
To get this status, we can get the Update user event and check the UserState to achieve the goal.
More detail about Azure AD reporting API, you can this link.
Note:Actions don’t appear immediately in the audit activity log. It can take anywhere from 30 minutes to an hour to see the audit logs in the Azure portal from the time the operation is performed.
Wait for 30 minutes to an hour and see if the actions appear in the activity log.
Update
Azure now has Invitation Status
https://learn.microsoft.com/en-us/azure/active-directory/b2b/customize-invitation-api#invitation-status
There is a property called "Source" under the Identity section of Azure Portal user profile and its getting changed to Microsoft Account or something like that from "Invited user" when the user redeem the invitation. But this source property is not in the User property returning from the API.
Find the request to implement way to do this in Graph API here and please up vote it.
we cannot use filter more than once. How about
https://graph.microsoft.com/v1.0/users?$filter=mail eq 'usersemail'&$select=externalUserState
this can be done using ms graph API
Related
I have created a PubSub schema
I have created an API key with no restrictions
I wish to cURL/Get this schema from an address outside of GCP
I tried the below request but it's denied as per below
me#J-5CG2200NLY:~/go/$ curl https://pubsub.googleapis.com/v1/projects/myprojetc199/schemas/pbschema_1?key=mylongkeyxxxxxxxxxxxx
{
"error": {
"code": 403,
"message": "User not authorized to perform this action.",
"status": "PERMISSION_DENIED"
}
}
How can I authenticate my request?
Thanks in advance
Pub/Sub does not support the use of API keys as an authentication method (as noted in the documentation). API keys are used for quota attribution for requests. You would have to use one of the alternative authentication methods like OAuth in order to retrieve the schema via a cURL/Get.
If you are logged in via gcloud on an account that has permission to get schemas, you can then get the access token:
gcloud auth application-default print-access-token
Now, you can use that access token in a curl command:
PROJECT=my-project
SCHEMA=my-schema
ACCESS_TOKEN=<token printed out above>
curl -H "Authorization: Bearer $ACCESS_TOKEN" -X GET https://pubsub.googleapis.com/v1/projects/$PROJECT/schemas/$SCHEMA
I have tried everything but somehow unable to generate token or the token that is generated does not work. Please help with what I am doing wrong. I want the token to create an online meeting.
Sharing requests below which I have tried
Generate token with client credentials grant type
REQUEST:
POST 'https://login.microsoftonline.com/CXXXXXXX/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'password=CXXXXXXX'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=OnlineMeetings.ReadWrite'
--data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
--data-urlencode 'username=CXXXXXXX#gmail.com'
--data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'
Save the token generated- Using this in https://graph.microsoft.com/v1.0/me/onlineMeetings gives error - Access token validation failure. Invalid audience
Use this token as assertion as follows
POST 'https://login.microsoftonline.com/learn123456789.onmicrosoft.com/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer'
--data-urlencode 'scope=OnlineMeetings.ReadWrite'
--data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
--data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'
--data-urlencode 'resource=https://graph.microsoft.com/'
--data-urlencode 'requested_token_use=on_behalf_of'
--data-urlencode 'assertion=tokenFromFirstAPI'
Also tried this api
https://login.microsoftonline.com/common/oauth2/authorize?client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX&response_type=token&resource=XXXXXXX6-ba00-4fd7-XXXXXXXXX3
Error is
Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was '00000002-0000-0000-c000-000000000000' and the expected audience is 'clientID' or one of the Application Uris of this application with App ID XXX. The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.
No token works in this - https://graph.microsoft.com/v1.0/me/onlineMeetings
Getting - "Access token validation failure. Invalid audience.",
Please help, what am I doing wrong?
Thanks Carl bit it did not work
Have even given all the permissions as suggested above.
ERROR- Bad Request - 400 - 819ms
{ "error": { "code": "AuthenticationError", "message": "Error authenticating with resource", "innerError": { "date": "2020-12-27T09:36:57", "request-id": "4e01eff1-9eb5-42dd-9009-dbdd85aca49a", "client-request-id": "5effa441-d7f6-5ef7-5066-1d7153f39712" } }
As your error message says, your token audience is invalid , because you set the wrong scope when requesting the token. You should set the scope to https://graph.microsoft.com/.default or https://graph.microsoft.com/OnlineMeetings.ReadWrite, in addition, the api call only supports delegated permissions, so you can't use the client credential flow to get the token. For the /me endpoint, the user needs to log in, so you need Use auth code flow to obtain an access token.
Or, there is a simpler method, you can use Graph Explorer to test, you only need to log in to the user and add permissions.
Update:
I noticed that you use 3 methods to get the token.
First of all, for the first method, you are using a v1.0 endpoint and use the client credential flow to obtain the token. What you need to pay attention to is that when you use v1.0 authentication, you cannot use scope, you should use resource. In addition, when you use the client credential flow, you cannot use the v1.0 version , you need to use the beta version, and because the client credential flow is a flow without user login, you cannot call the /me endpoint, you should call the /users endpoint. (Note: When you use the beta version and use the client credential flow, according to the documentation: Administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).)
The complete request is:
POST https://login.microsoftonline.com/{tenant}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-xxxxxxxxxx
&resource=https://graph.microsoft.com/
&client_secret=qWgdYAmab0YSkuLxxxxxxx
&grant_type=client_credentials
api call:
https://graph.microsoft.com/beta/users/{userId}/onlineMeetings
For the second method, I noticed that you are using OBO flow, and then you pass in the wrong access token obtained by the first method as an assertion, so the access token you obtained using this flow is definitely not correct. . In addition, if you don't have a back-end API, please do not use this flow. This flow requires you to have a middle-tier API, and it is cumbersome to use.
Your third method is also wrong, your resource should be: https://graph.microsoft.com
To summarize: If you want to use the client credential flow without user login, please refer to my update. If you don't have a backend api, please do not use OBO flow.
IMAGE of ERROR
Error in following URL
"message": "Error authenticating with resource",
https://developer.microsoft.com/en-us/graph/graph-explorer
I use
https://graph.microsoft.com/v1.0/teams/team_id/channels/channel_id/messages
to get messages in channel and post message to channel, but I get an error when I want to get these messages
UnknownError
When I post messages to channel , it shows Unauthorized.
My code
$headers = array(
"Content-Type: application/json",
"Authorization: Bearer {$_SESSION["access_token"]}",
);
$post_params = json_encode(array(
"body"=>array("content"=>"Hello World")
));
Azure Permission
This api only supports delegated permissions, you need to grant ChannelMessage.Read.All delegated permissions, and then grant admin consent for the permissions.
Several APIs including "List Channel Messages" are Protected APIs. It doesn't matter whether your admin gave you permission or not. Microsoft itself must give you permission too.
More info
https://learn.microsoft.com/en-us/graph/teams-protected-apis#:~:text=Microsoft%20Teams%20APIs%20in%20Microsoft,before%20you%20can%20use%20them.
Permission request form (Yes I know the form below looks ridiculous unfortunately that's the only way you request permission, the link is also given in the page above)
https://aka.ms/teamsgraph/requestaccess
You can access the list of channel messages via GRAPH with right permission (ChannelMessages.Read.All) and if you use the BETA endpoint of it. This is not a good idea for production btw but will solve the issue so you dont need to request this from MS.
For this you have to request the endpoint with a loggedIn user. (Delegated)
I wish to use the Google Cloud Platform (GCP) REST API locally, starting with the apps.services.versions.instances.list method.
The route works when I use "Try this API" here, but how would I use this method locally with curl?
"https://appengine.googleapis.com/v1/apps/$APPSID/services/$SERVICESID/versions/$VERSIONSID/instances?key=$YOUR_API_KEY" \
--compressed \
--header 'Accept: application/json' \
--header "Authorization: Bearer $YOUR_ACCESS_TOKEN"
#=>
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
How do I access $YOUR_API_KEY and $YOUR_ACCESS_TOKEN? I have been unable to find either in the official GCP docs.
The fastest way is use Cloud Shell:
List projects to get project id
gcloud projects list
# save you project id
PROJECT_ID="YOURS_PROJECT_ID"
Get ACCESS_TOKEN
ACCESS_TOKEN=$(gcloud auth print-access-token)
Get API_KEY
API_KEY=$(curl -X POST https://apikeys.googleapis.com/v1/projects/$PROJECT_ID/apiKeys?access_token=$ACCESS_TOKEN | jq -r ".currentKey")
Print API_KEY and ACCESS_TOKEN
echo $ACCESS_TOKEN
echo $API_KEY
To run above commands on local machine first you need authenticate using command gcloud auth login and follow instructions.
Alternatively api key could be readed or created from console go to Navigation Menu -> APIs & Services -> Credentials and next click on CREATE CREDENTIALS -> API Key.
By reading the documentation (clicking on question mark next to Credentials) we can read:
[YOUR_API_KEY] - "Include an API Key to identify your project, used to verify enablement and track request quotas."
[YOUR_ACCESS_TOKEN] - "Include an access (bearer) token to identify the user which completed the OAuth flow with your Client ID."
You no longer need an API key. It's a legacy feature of Google APIs, provide only an access token is enough.
In command line you can do this
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://....
All the Google Cloud APIs are compliant with access token authentication. Few are still compliant with API keys.
About APIKeys API
This API has been published in beta and now closed. At least the documentation part. I don't know if this API is stable or subject to change. You can create an API key per API like this (very similar to Bartosz Pelikan answer)
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-X POST https://apikeys.googleapis.com/v1/projects/PROJECT_ID/apiKeys
As you can see, I reuse the access token authentication mode
The above answers are using an API that isn't publicly available (I reached out to GCP support an confirmed.
I recommend using the CLI tool like so:
gcloud app instances list --service core-api --project my-project-name
docs: https://cloud.google.com/sdk/gcloud/reference/app/instances/list
You'll have to a gcloud auth first and probably set your project.
I was working in my sandbox environment trying to figure out the Chatter API calls - I had saved my refresh token during my testing but it was lost sometime later.
Now when I try to hit the API I am receiving the following error:
"expired access/refresh token"
How do I get around this now? I do not have a refresh token so i cannot make a request to refresh my token, and i'm not sure how to expire / delete / revoke it via the UI so that I can proceed with my testing.
my cUrl call is as follows:
curl
--form client_id=3MVG92.u...2KycWe
--form client_secret=668...930
--form grant_type=password
--form username=mike....com
--form password=*#()#*#$#
--proxy 127.0.0.1:3128 --insecure
https://test.salesforce.com/services/oauth2/token
Things I have tried:
Reset my password
Delete remote access and create a new one with new client_id / secret
Reset my security token
Does anyone know how to expire the token or get a new refresh token via the API or UI in salesforce?
To revoke access from the UI, click on the following in the menu at the top right of Salesforce:
Your Name | Setup | My Personal Information | Personal Information and clicking Deny
More info here:
https://na12.salesforce.com/help/doc/en/remoteaccess_about.htm
What scope are you using? If you specify a scope (like 'api'), you'll need to explicitly request a refresh token by also specifying 'refresh token' in your scope (space delimited). More info on scopes here:
https://na12.salesforce.com/help/doc/en/remoteaccess_oauth_scopes.htm
Unlike Google, Salesforce will provide the refresh token multiple times, regardless of whether the user has just approved the app or not.
I've been playing around with this using Google's OAuth playground. You can click the gear at the top right and specify the values for Salesforce's services.
Authorization endpoint: https://login.salesforce.com/services/oauth2/authorize
Token endpoint: https://login.salesforce.com/services/oauth2/token
Client ID/secret: from Salesforce's 'consumer' key/secret info in the Remote access Config
You'll need to use 'https://code.google.com/oauthplayground/' as your callback URL in your app configuration.
This can be done in your account under:
My Settings | Select Personal | Advanced User Details | OAuth Connected Apps
Exact steps at salesforce can be found here