I want to integrate the USPS First Class Mail International API into our web application to print labels. I have all the necessary credentials like USERID and PASSWORD, and the test link.
I have tried to integrate it into our application, but it gives me an API authorization error like this:
<Error>
<Number>80040b1a</Number>
<Description>API Authorization failure. FirstClassMailIntl is not a valid API name for this protocol.</Description>
<Source>UspsCom::DoAuth</Source>
</Error>
Related
At work we are making an SPFx Web Part React client app that deploys to SharePoint as a Web Part. Our back-end is a ASP.NET Core 2.2 Web API that is secured using Azure Portal's built in Authentication feature. The front-end is using AadHttpClient that magically handles the authentication by taking the context of the current page (SharePoint) that has the user already logged in. Doing so, silent authentication occurs and the API call is successfully made with authentication successfully passed. The AadHttpClient is supposed to magically bundle up the token in the request header that gets sent to the back-end Web API. I still need to debug the live development app and see how to retrieve the Bearer Token in the back-end Web API. These are my next probable steps?
Would I just probably use 'string bearerToken = Request.Headers.....;' or 'string bearerToken = Request.Headers["KeyValue"]' to get the token itself?
Assuming I can get this Bearer Token, how can I check the caller's user information? Is it just var userName = User.Identity.Name;? Or would I or could I use the token and some how make a call to Microsoft Graph API to view the user's info?
If you are using ASP.NET Core and using default authentication then things are bit easier. From documentation you can see that several tokens are injected in the request header based on Identity provider so in your case you have to look for following headers which Azure AD injects. These headers would contain ID Token which you would need to verify the claims and get user information.
X-MS-TOKEN-AAD-ID-TOKEN
X-MS-TOKEN-AAD-ACCESS-TOKEN
X-MS-TOKEN-AAD-EXPIRES-ON
X-MS-TOKEN-AAD-REFRESH-TOKEN
Ideally all the claims are injected automatically in ClaimsPrincipal
you can find more here
Official Docs
How To extract Token
As an exercise, I have been attempting to create a swagger configuration that can invoke the Azure Management API, and to run this from the online swagger editor.
I have configured it to use implicit authentication, and it almost works, but I just cannot get the Azure Framework to recognize the swagger editor as a valid redirect URL.
Here is all the steps I have taken. Can anyone spot what I'm doing wrong?
Using the Azure AD portal, I create a new Azure AD Application
In the application registration's Reply URL's, I added https://editor.swagger.io/oauth2-redirect.html
I created the following security entries in my Swagger 2.0 document:
securityDefinitions:
azureTokenAuthentication:
flow: implicit
authorizationUrl: https://login.microsoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize
scopes:
https://management.azure.com: Accessing the Azure API
type: oauth2
security:
- azureTokenAuthentication:
- https://management.azure.com
(The redacted GUID is my tenant id).
Now, when I click on the "Authorization" button, swagger opens up a dialog for me:
So I enter the application ID and click authorize. It then sends me to the logon URL with the following parameters:
response_type: token
client_id: eb482fb2-8229-434e-b5a6-9fc3e0f06968
redirect_uri: https://editor.swagger.io/oauth2-redirect.html
scope: https://management.azure.com
state: <Base64 string>Wed Mar 13 2019 09:16:06 GMT+1000 (Australian Eastern Standard Time)
Note that the redirect uri matches the value I entered in the app registration.
So I enter my username and password, and then the URL gets redirected to the following:
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+a+URI+which+matches+a+redirect+URI+registered+for+this+client+application.&state=rQIIAdNiNtQztFJJTTKxMEpLMtK1MDKy1DUxNknVTTJNNNO1TEs2TjVIMzCzNLMoEuISWF1yo3vvud0Ozb9b9Z66bQ-cxcgZn5NZlqqXnJ-7ilEvo6SkoNhKXz81JbMkv0ivuDwxPT21SC8zXz8_sbQkw0i3CChTlJpcAlSZm7ODkfECI-MLRsZbTPz-jiB5EJFflFmVOos5JswoLNvT1TAjOdOxwrfSsdLXxdXU08XR1D_L1cg_y9HI0zXFL8y5uMLXxbHc0znDKSXCzyA51604Mdyt1NM1LCPZOCgnOdckPdQ4KCMpNygjOTcwPcw9pyQqONt2E7NKSqqpuZGhmZGuabJ5iq6JRVqSrmWSqaGuubmlabKpeaKZqWXyKWYZmI9yE_MS01NzU_NK9BKrSovAHr7BzHiBhfEVC48BsxUHB5cAgwSDAsMPFsZFrMCQmrTR22we8wzHyc1Bd633_2M4xapfku7mkeJk5qxfkpOb7lcUXB5SmOZb7Jef7l-c526UmVUQqV_q5Zzh4uzma2tkZTiBTeYDG2MHO8MuThID9haXiJGBoaWugbGuoZGCkbGVoZmVgXkUAA2
The interesting text I glean from this is:
The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
But it DOES match! What am I doing wrong?!?
reply url = "your web api's swagger page url" concatenated with "/oauth2-redirect.html"
example: https://localhost:44329/swagger/oauth2-redirect.html
configure that for each environment in your app registration including your localhost.
First of all, I changed the authorization URL from https://login.microsoft.com/<tenant-id>/oauth2/authorize to https://login.microsoft.com/<tenant-id>/oauth2/v2.0/authorize
I then had to follow these instructions, and directly modify the application manifest to allow implicit flow:
Then I changed the scopes. I could not get management.azure.com running, but I could get https://graph.windows.net by appending /.default to the scope. (https://graph.windows.net/.default).
That got me another step further. Now it redirected to the Authorization URL, and Microsoft authenticated me, generated a token for me, and redirected my browser to https://editor.swagger.io/oauth2-redirect.html
Then I was thwarted, when I realised that editor.swagger.io does not actually handle the path it's redirecting the browser to. (The file outh2-redirect.html exists on GitHub here: https://github.com/swagger-api/swagger-ui/blob/master/dist/oauth2-redirect.html)
That's when I gave up.
An app registered in the v2 app registration portal, with a webapi platform added, however when requesting the authorisation with api scope using https://login.microsoftonline.com/common/oauth2/v2.0/authorize endpoint, it directly go to the redirect url with error code AADSTS70002%3a+Error+validating+credentials. Instead if I use the graph api, everything works, not sure what did I did wrong!
The one for the webapi scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=openid%20offline_access%20api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user
The one for the graph api:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0b0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
EDIT
This is confusing, now I put the offline and open id to the end but get another error:
AADSTS65005%3a+The+application+'v2app'+asked+for+scope+'openid'+that+doesn't+exist+on+the+resource.+Contact+the+app+vendor.
The URL I requested is:
https://login.microsoftonline.com/e0582222da8-ec2b-4c7a-b98e-2c417627657c/oauth2/v2.0/authorize?client_id=c6599db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user%20openid%20offline_access
And if I google this error, there is one saying:
As of today, the V2 Endpoint does not support API access other than the Microsoft Graph.
So this is not achievable? Then how come the sample works?
EDIT 2
So if I make the requested scope the client ID, it works..
I reproduced your error . but if putting the openid%20offline_access scopes after api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user(api scope) , it works on my side , please try :
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user%20openid%20offline_access
Update
The MSAL error you linked is accessing a Web API from a client that has a different Application ID , that is not supported in v2.0 endpoint . In azure ad v2.0, Web API can receive tokens only from an application that has the same Application ID. That means api://xxxx-xxxx-xxx-xxx (web api url) , the xxxx-xxxx-xxx-xxx part has the same value with your client id of client application . To achive that , you could add two platforms : one web app ,one web api .
I have a Angular + Spring boot single page web app. The server also acts as an Auth Server which issues tokens for the angular app to use to make Restful API calls.
My old login flow uses a grant_type=password POST call to the /oauth/token endpoint to get a Bearer token. And all further API calls on behalf of the user will include the Bearer token as the "Authorization" http header.
Now I need to integrate social login (facebook, twitter, etc.), which means I don't have username/password to generate tokens so I'm not sure how to make it work.
I have been using the following two tutorials as my template:
Spring Security and Angular JS
Spring Boot and OAuth
In the first tutorial's oauth-vanilla example, the username passwork login flow brings up the authorization page. But I'd like to have the traditional username/password form login experience (log user in directly instead of showing the Authorization page).
In the second tutorial, after facebook login, I'd like to use the facebook id to look up my internal user database and create a new user if not exist and logs him in as the user. And use the internal db user's identity and authorities to authorize future API calls to my API server.
I have a stripped down sample at at
https://github.com/dingquan/spring-angular-oauth
I can make POST calls to /oauth/token endpoint and use the returned token to make further api calls to my protected /api/blogs endpoint. But I haven't figure out how to make the following things work:
Username/password login that will create a session cookie so I don't need to send the Authorization bearer token for future API calls to the resource endpoint
After facebook login (the facebook login link is under the username/password login form), calls to my endpoint still fails with 401 error (I have a "test" button that makes a get call to /api/blogs, you can click on it to see the behavior). So what am I missing to make the API call succeed?
=== UPDATE ===
Just to clarify. Here are the goals I'm trying to achieve:
multiple ways of authentication (traditional username/password, third party oauth login such as facebook, possibly cellphone number + SMS code in the future)
we do need our own user model backed by DB to store other user attributes, pure social login is not enough
social login needs to be implicit. Meaning user should not be required to create a user account in our system manually once they login through a 3rd party (facebook, etc.). We're not just grabbing users' social profile data to pre-populate the registration form. We want to create new DB users automatically behind the scene if no existing db user is associated with the given external social account. i.e. if user is logged in through facebook, they don't need to enter username/password. Authentication through facebook will automatically log the user into our system as well and user should be able to access restricted resources after facebook login.
There's some confusion that I might be asking people to put their facebook username/password in a login form hosted by my app and I'll login facebook on behalf of the user. That's not what I was asking for.
You don't need such a complicated configuration. Add #EnableOAuth2Sso to your MainConfiguration and set appropriate application properties.
Here is what I have done in order to use Facebook as a authorization server.
a) Remove clientId and authServer from UserServiceImpl. Otherwise you'll be forced to configure an authorization server that is not needed.
b) Remove AuthorizationServerConfiguration completely.
c) Add #EnableWebSecurity and #EnableOAuth2Sso to your MainConfiguration.
d) Change MainConfiguration::configure to
http
.logout().logoutSuccessUrl("/").permitAll().and()
.authorizeRequests().antMatchers("/", "/login", "/home.html").permitAll()
.anyRequest().authenticated()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
e) Delete everything else except nested class AuthenticationSecurity from MainConfiguration.
f) Change ResourceServerConfiguration::configure(HttpSecurity) to
http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated();
f) Remove attribute tokenStore and method ResourceServerConfiguration::configure(ResourceServerSecurityConfigurer) from ResourceServerConfiguration.
g) Remove configuration block security and facebook from application.yml. Instead add this
security:
oauth2:
client:
client-id: <CLIENT_ID>
token-name: oauth_token
authentication-scheme: query
client-authentication-scheme: form
access-token-uri: https://graph.facebook.com/oauth/access_token
user-authorization-uri: https://www.facebook.com/dialog/oauth
resource:
user-info-uri: https://graph.facebook.com/me
client-id: <CLIENT_ID>
client-secret: <CLIENT_SECRET>
token-type: code
h) In index.html change login to login.
i) Replace the content of hello.js with this one.
But I'd like to have the traditional username/password form login experience (log user in directly instead of showing the Authorization page).
I would never use a site that requires my credentials without redirecting me to the origin! I don't know you and you are under suspicion being a phishing site.
You should really reconsider your decision.
Btw, I created a pull request with these changes.
I have my app build with Django Rest and Angular. I am using django-allauth and django-rest-auth modules for handling Users data.
Upon registration I am sending verification key to the email address of the user. The link that the user recieves is in the following format:
mydomain/api/rest-auth/registration/verify-email/:key
I am aware that django-rest-auth provides /registration/verify-email endpoint but am not sure how to get the verification code from the email message in the Angular controller and post it to the endpoint.
I guess this is more a question of design.
Thanks!