according to Google cloud endpoint documentation, in #Api annotation (or #ApiMethod), we can use a "scope" parameter, that is:
If not supplied, the default is the email scope (https://www.googleapis.com/auth/userinfo.email), which is required for OAuth. You can override this to specify more OAuth 2.0 scopes if you wish. However, if you do define more than one scope, note that the scope check will pass if the token is minted for any of the specified scopes. To override the scopes specified here for a particular API method, specify different scopes in the #ApiMethod annotation.
Reading this docs seems that we can ask, for example, for drive scopes.
In fact, if we put here https://www.googleapis.com/auth/drive.file, the endpoint will ask the user for the drive auth.
But, how can I get the valid token to make a call to the google api? I mean, this scope parameter is intended only for login purpose, or I can use it to obtain Oauth2 tokens to call Google Apis?
I think is only for login purpose (just because I haven't found something about using endpoint to connect to google api) but I need a confirmation.
Thanks in advance
Related
I have a REST API hosted in Azure App Services that defines custom scopes for restricting access to specific operations in the API to certain groups of users. When accessing the Azure's OpenID Connect Metadata discovery endpoint however, I can't seen to find a way to see my custom scopes for the API (or any API consumer registered in Azure). How do I make it so that my custom scopes show up in the discovery endpoint metadata?
This is the endpoint I'm using:
https://login.microsoftonline.com/{my_tenant_id}/v2.0/.well-known/openid-configuration
Obviously, this version of the endpoint concerns the whole tenant, so it makes sense that it would not have visibility about specific API's scopes in there.
However, when using this variation, which specifies the ClientID, I'd expect the data on the payload to concern that specific application:
https://login.microsoftonline.com/{my_tenant_id}/v2.0/.well-known/openid-configuration?appid={application_client_id}
This turns out not to be the case: all scopes shown in this endpoint are also the standard ones that AAD always returns for everything else:
"scopes_supported": [
"openid",
"profile",
"email",
"offline_access"
],
I'd expect one or both of the following to happen:
The main endpoint to return the combination of all scopes defined for all applications
The app-parameterized endpoint to return the scopes for that particular application
Without my custom scopes being present, it is currently impossible to leave it to a client to pick the scopes when using OpenIDConnect connection type, since the application cannot know which scopes to request to AAD after the initial call, which was one of the main points regarding the metadata endpoint from what I understood.
I asked this question in the Microsoft.Identity.Web repository and got a reply back from a Microsoft Identity PM that states exposing custom scopes in the metadata endpoint is currently not supported by design.
More information here:
https://github.com/AzureAD/microsoft-identity-web/discussions/1689#discussioncomment-2519799
I'll stop using the discovery endpoint in my scenario since it becomes useless if the scopes in it don't match my API scopes.
I have used ADAL.js in a previous project which supported only work accounts and am able to successfully acquire idtokens and then accesstokens to an API (ResourceURI: "https://myresource.com"). Works fine.
Now, I am trying to use MSAL.js for another project because there I need to support both work accounts (aad auth) and personal "Microsoft Accounts" (MSA). I am running into problems now trying to do the same thing as in my ADAL project.
The concept of "Resource" has seemingly vanished from AAD V2. So how does one specify the Resource url when acquiring an access token to the target API? So that the resulting accesstoken contains the ResourceURI in the AUD claim (which will be enforced by the API I am calling).
If I force add the Resource querystring parameter, thusly:
msalapp.acquireTokenSilent([], null, null, "resource=https%3A%2F%2Fmyresource.com")
I get the following error:
AADSTS901002: The 'resource' request parameter is not supported.
Documentation says to use SCOPE instead. But using:
msalapp.acquireTokenSilent(['https://myresource.com'])
results in:
AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://myresource.com openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>..
So: how do I specify the Resource URI when acquiring the access tokens when working with the v2 endpoint via MSAL.js? Sorry the (usually pretty good) MSDN articles are not useful at all in this case...
In Azure AD v2.0 you need to use scopes, not resources.
If you have a resource, and want to get a token for all the permissions, you can use :
https://myresource.com/.default.
You can also be more fine grain: more information is available from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal#scopes-for-a-v10-application (this is in C#, but the translation is straightforward)
I am trying to access the Dynamics 365 Online API via a SPA. But I want to use the v2 authorization endpoint. I register my app in AAD and assign permissions for Dynamics CRM (I'm using the preview registration blade which allows me to specify Dynamics). It does not say that Admin consent is required for Dynamics but when I specify the scope in my SPA, I get an error at the consent screen indicating that I need admin consent.
I have successfully used the v1 authorization endpoint in the past so I suspect it is an issue with how I am specifying the scope when I retrieve my access token.
Is there something special needed for this API? Is it not fully implemented yet?
In my scope parameter when I request my access_token, I have tried:
<service guid>/<scope guid>
<service guid>/user_impersonation
https://<tenant>.crm.dynamics.com/user_impersonation
https://crm.dynamics.com/user_impersonation
https://dynamics.com/user_impersonation
The last four indicate admin consent is required. I've tried a few other formats but they error out indicating the format is incorrect or the resource doesn't exist - which I get. But I am confused about the admin consent pieces.
Any guidance appreciated!
You need to use a scope of:
https://{organization}.crm.dynamics.com//user_impersonation.
Note the double slash.
Not sure if this helps anyone, but I stumbled onto this thread looking for answers to the correct scope to use to access the Dynamics 365 rest api using MSAL in a client application.
I didn't need user_impersonation as I just wanted to access it as the application user. The scope that worked for me is:
"https://{organization}.api.crm3.dynamics.com//.default"
Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#client-credentials-grant-flow-and-default
I started from this React sample application from Auth0 and login through Auth0 works fine but does not give me the expected token.
After login the browser localStorage contains an id_token and a profile object. When I decode the id_token I see that the payload contains something like this:
{
"iss": "https://mycompany.eu.auth0.com/",
"sub": "auth0|5821bc27f92ca3261c628a26",
"aud": "2A8cgDBm86kLCtCNtUMcKPL2G3oqjIdE",
"exp": 1478755859,
"iat": 1478719859
}
The profile contains email and lots of other good stuff from the user profile as registered in Auth0.
I need to parse on the token to my API server and therefore I need the attributes from the profile-object to be part of the token. How can I make the id_token contain all these attributes, so that I can parse it in my API-service and store it the first time the user logs in?
As I see it, I cannot use the profile-object found in the browser localStorage as it needs to be signed by Auth0 in order for my API server to trust the information.
I'm also aware that I can use the id_token to make a request from my API server directly to Auth0 to get this additional information, but I just think it would be simpler and more efficient if the information was carried by the token.
Those are the claims included by default in a id_token; it's possible to request other claims to be included by passing a scope parameter with the appropriate value.
See Scopes - Requesting specific claims, for a reference on what you can pass in the scope parameter in order to influence the contents of the id_token.
To add onto João Angelo's answer, you can't request the entire "App_Metadata" object in scope. If there are app specific fields e.g. lang or favorite color, these have to be called out specifically.
Example App MetaData
Example call
https://example.auth0.com/authorize
?response_type=token
&client_id=YOUR_CLIENT_ID
&redirect_uri=http://jwt.io&connection=google-oauth2
&scope=openid+lang+favoriteColor
There may be additional caveats to the scope parameter, it would be good to ask Auth0 as you run into issues
Surely someone else is using the API, I've looked and searched, I cannot seem to find the correct value to place for the scope parameter when authenticating:
I've looked at all these scope lists, nothing, tried the OAuth 2.0 playground, translation is not there.
oauth playground v1
oauth playground v2
oath supported scopes
auth scopes
Any clues welcomed, thank you.
Error message:
Error: invalid_request
Missing required parameter: scope
Learn more
Request Details
Update
User Ezra explained that OAuth2 authentication is not needed for the Translation API.
I got down this road by this path:
I was trying to make the sample code here work:
translation api sample code
And didn't have the apiclient.discovery module
from apiclient.discovery import build
I went off looking for that which landed me here to this quick-start configurator
which gave me an autogenerated translation api project here:
This starter project which is supposed to be tailored for Translation API includes a whole bunch of OAuth configuration and so I wound up asking the question because of the error mentioned here
exception calling translation api: <HttpError 400 when requesting https://www.googleapis.com/language/translate/v2?q=zebra&source=en&alt=json&target=fr&key=MYSECRETKEYWENTHERE returned "Bad Request">
The code I'm using to make said call which errors out in this way is:
service = build('translate', 'v2',
developerKey='MYSECRETKEYWENTHERE')
result = service.translations().list(
source='en',
target=lang,
q='zebra'
).execute()
If I make the same call directly that the error complains about, it works ok
https://www.googleapis.com/language/translate/v2?key=MYSECRETKEYWENTHERE&q=zebra&target=fr&alt=json&source=en
Updated Again
Okay, I removed all the OAuth code from the sample project and then ran it again and then finally noticed that I had a typo in my secret key... donk
Thanks for the answers!
.
Thank you
I think you are misunderstanding what OAuth scopes are for. You didn't list any of your code, so I'm going to explain some concepts, and hope that you can apply them to your situation.
OAuth Scopes explained:
The purpose of OAuth scopes is accessing information about authenticated users. The scopes are different for each applications, and determine what information about a user that an application is granted access to.
Concretely, an OAuth request with the scope parameter as
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Would show the user a prompt similar to the following when logging in:
+ View basic information about your account
* View your name, public profile URL, and photo
* View your gender and birthdate
* View your country, language, and timezone
+ View your email address
* View the email address associated with your account
While one with only https://www.googleapis.com/auth/userinfo.email would show something like:
+ View your email address
* View the email address associated with your account
Translate API explained:
To use the Translate API, you don't have to have users authenticated with OAuth. You simply get an API Key, and provide that key in your request to the service.
The use of the Translate API is completely orthogonal to the use of OAuth.
As documented on the Translate API site, to translate something you simply make a request to
https://www.googleapis.com/language/translate/v2?parameters
with the appropriate parameters.
The parameters needed are, as listed in the documentation, the
API key. Use the key query parameter to identify your application.
Target language. Use the target query parameter to specify the language you want to translate into.
Source text string. Use the q query parameter to identify the string to translate.
Concretely, a request to translate the text "hello world" into German would be:
https://www.googleapis.com/language/translate/v2?key=INSERT-YOUR-KEY&source=en&target=de&q=Hello%20world
Look at the parameters specification to get an idea of what you have to supply.
What to do:
Look at the source of the Python example using the Translate API or look up the API library for the language you want to use.
You'll see in the examples that there is no mention of OAuth scopes, because it's not needed to authenticate against the Translate API service. You only need to provide your API key, and the text to be translated in your request to the service.
There may be API calls that require scope, but Translate is not one of them.
If there is some piece of information about a user that you need, you will have to look up the API and Scope needed to access that piece of information. You will then supply this information to the Translate API as necessary.
In case of 400:
If you are getting an error response, that's good, because the call to the service is working, even if it's not doing what you want.
In the case of a 400, the Translate API's response will give you a clue about your error in its response.
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
The response above indicates that the key is invalid. You can request a new one (or find out your old one) through the Google API Console.
Summary:
OAuth scopes are used for requesting information about a user. You will have to identify the scope when authenticating the user, and you will have access to all information provided by those scopes.
The Translate API doesn't need a scope. You provide an API Key (and some other information) in your request, and it gives back the translation as documented.
If there is information about a user that you wish to translate, it must be done in two steps. First, collect the information by authenticating the user in the appropriate scope, and second by providing that information to the Translate API.
If you're getting a 400, the response will include some information you can use to debug the problem.
According to Google's documentation, you have to look at the documentation for your specific API.
Update as per this Google Group question:
"The Translate API (both v1 and v2) is an unauthenticated API, so you don't need to use OAuth with it. Instead, for v2, you should use an API key, which you can get here: http://code.google.com/apis/console"
For error message
Error: invalid_request
Missing required parameter: scope
You need to add scopes in your form
<input type="hidden" name="scope" value="https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo#email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/tasks https://www-opensocial.googleusercontent.com/api/people https://www.googleapis.com/auth/plus.login" />
Please refer spring social login with linkedin,facebook,twitter and google providers.