Authorise users for oneDrive without asking username/password - active-directory

I have a web applications and I wanted to allow users to pick file from oneDrive and submit those files. So my question is that, is there a way for me to allow for users who use my site to do this without asking them to log in for oneDrive ?.
I have a similar experience in googledrive and in there, we can do this through service account by authentication each users from the backend silently each time.
Further more, I have sign up for office 365 for business and link it to Azure and in there add few user to it via Active Directory.
Thanks in advance

One way is to use a designated account to create refresh token that has 'offline access' to the OneDrive. The offline access refresh token has a very long (or indefinite) expiry. Use OAuth 2.0 to create the refresh token.
Every time a user needs to browse the OneDrive, use the refresh token to request a short-term access token (again, this is OAuth 2.0). You can use that access token to access the OneDrive.
Unfortunately, my finding is that offline tokens have full read/write access - read only access doesn't seem possible.

Related

MS Graph react SPA get refresh token

I am using msgraph-training-reactspa sdk from Microsoft which uses MSAL for authentication. It does not return any refresh token. It has acquireTokenSilent method which gets new access token.
As per our requirement I want to get user access token along with refresh token so that I can later get new access token with refresh token and use microsoft graph api in CRON to update data.
How can we login user to microsoft via react app and get the refresh token so that I can save it in my DB?
Can I get any sample reference?
To get the refresh token (which is probably useless in your scenario anyway), you need to ask for the offline_access scope in your app manifest (or in the auth request), user has to agree to that, and then the refresh token is included by the azure ad.
But what you really want is probably sol-called "app-permissions" to be able to do stuff without the user present at all using CRON or whatever (and not a refresh token). I.e. for delegated permissions, you need a user under whose account the thing will be executed anyway (and even the refresh token will expire, and then you'll have to ask for login). The sample you are referring to is using delegated permissions. Check out the difference here: Azure AD App Application Permissions vs Delegated Permissions

Revoke access for an access_token received via MS Active Directory authentication

I am currently using passport-azure-ad and #azure/msal-node nodejs library to authenticate users for my APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token.
Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.
How can we do this please?
Basically, you can't.
I believe that the spec. doesn't allow access tokens to be revoked.
You can, however, revoke refresh tokens.
When the access token expires, the refresh token won't be honoured and the user will be logged out.
Going forward, continuous access evaluation will be of use but it hasn't been implemented in many apps. to date.

Why do i need to create a Multi-Tenant App?

I have been doing some R&D on using the MicrosoftGraphAPI to fetch the skus subscribed by my organization.
I have created an app as described in the documentation. I did all the steps in the above link except 'Assign application to role'.
Using postman am able to get the oauth2 token by sending a post request using the link
https://login.microsoftonline.com/<mytenantid>/oauth2/token
with the client_id, client_secret, resource(https://graph.microsoft.com) and grant_type(client_credentials) parameters.
After this token is obtained I can fire a get request https://graph.microsoft.com/v1.0/subscribedSkus with the Authorization header set as Bearer {token} which will return the SKUs subscribed by my organization.
So far so good. :-)
Now the requirement is I need to fetch the subscribed SKUs by one of the client (let's say having the azure ad tenant id 'ABCDEFG') of my organization.
I can successfully do that by registering an app in the client's tenant 'ABCDEFG' with the same steps as above.
This approach is fine if my organization has say 1 or 2 clients.
However, if the client numbers are more than say 30 this approach of registering an application in each Azure AD instance is not feasible.
If the application that I registered in my organizations AAD was multi-tenant then how should it help me?
What will be the steps needed to obtain the access token for each tenant?
Can somebody assist with some detailed explanation?
Since you need application-level access, you would assign one of the Application permissions listed in the documentation for getting SKUs: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.
Directory.Read.All, Directory.ReadWrite.All
In this case you should require the Read Directory Data (Directory.Read.All) application permission.
Then you mark your app as multi-tenanted.
Now then in order for another org to use your app, they will have to be on-boarded.
You will need some kind of page where their administrator can click a button/link to start using your app.
This should redirect the admin to:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&prompt=admin_consent&response_type=code+id_token&redirect_uri=url-where-to-send-user-back
Once they sign in, they will be presented with a consent screen, where they can approve the permissions that your app requires.
If and when they do that, they will be redirected back to your app (to the URL you specified) and you can use the Id token to know which Azure AD tenant registered.
During this process a service principal for your app is created in their tenant, and the required permission is granted to it.
This means you can then get an access token for their tenant from: (using the same credentials)
https://login.microsoftonline.com/their-tenant-id/oauth2/token
Remember that access tokens are specific to an Azure AD tenant, so you will have to get an access token for each tenant.
One thing I would like to point out is that you should instead try to use delegated permissions if possible.
The application permission given here gives quite large access to your app, and some admins might not use your service for that reason alone.
Delegated permissions are more complex to handle, but allow your app to act on behalf of a user instead of purely as itself.

Accessing onedrive with previously generated token

I have an application which already use azure AD for authentication.
And now, we need to integrate MS onedrive in it.
Now, for doing so, we don't want the user to go through login again.
Is it possible that the Oauth token generated in application login can be used for graph APIs. Or any other way to skip that MS login for onedrive?
I've seen the question. But my problem is bit different that I'm already using Azure AD for authentication.
Thanks in advance.
When the user logs in, you can acquire multiple access tokens.
You will need to acquire a token for MS Graph API.
You can use the same authorization code twice to get two access tokens, or you can use the refresh token gotten with the first one to get another access token.

Identity Server and Active Driectory

My current setup is a fairly simple one. I am running Identity Server 3 which is used to provide oauth access tokens which can be used against and a number of our web api endpoints. The identity server has custom user service which authenticates requests against a custom user table in our sql database.
We have a new 3rd party software provider, this provider requires that our users (staff in our call centre) logon to their application via a proprietary login, not against our existing user accounts. We have built an api for this 3rd party which they required for their integration, as with the rest of our api's this is secured using oauth bearer tokens via identity server.
Our staff are all locally logged on to an active directory domain. Is it possible to configure identity server to issues auth tokens for a user who is already authenticated against active directory? I like to achieve this without prompting the user for their credentials again.
I've read around and at this point I'm very lost as to the correct approach, some form of federation seems appropriate, but I couldn’t find a reasonable introduction / walkthrough to help me get started.
What is an appropriate approach and are they any relatively easy to consume primers on the subject?
Yes, you should be able to make it work. The samples contain a windows auth provider. Using this, your identity server would authenticate people in without prompting for a password. Once authenticated, it would then issue tokens same as any other auth. You may need to a bit of experimenting to get it working, but from what you've said it should work in your situation.

Resources