This is app api permissions
api permission
This is OAuth 2.0 authorize URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=6cd61515-b6d8-486e-b729-8b2243f85e6d&scope=https%3A%2F%2Foutlook.office365.com%2FEWS.AccessAsUser.All&redirect_uri=https%3A%2F%2Foauth.pstmn.io%2Fv1%2Fbrowser-callback
I can get token using my work account.
work account
I can not get token using my personal account.
personal account
Anybody know why?
According to the answer in Microsoft Q&A, personal account is no longer supported by EWS, so the scope is invalid.
Related
I am trying to get started with using Google API specifically in regards to obtaining a listing of Chrome devices in our organization. We have a current list of Chrome Devices in Google Admin. When I go to "API Explorer" here:
https://cloud.google.com/identity/docs/reference/rest/v1/devices/list
And enter the request parameters I can't get it to work.
First of all I do not know how to obtain an access token other than using the "OAUTH 2.0 Playground". That link is
https://developers.google.com/oauthplayground/
I have tried that but apparently I need to somehow enable one of the following OAuth scopes:
https://www.googleapis.com/auth/cloud-identity.devices.readonly
https://www.googleapis.com/auth/cloud-identity.devices
https://www.googleapis.com/auth/cloud-identity
Which I don't seem to be able to find in the OAuth playground.
In any case, I did obtain a token through the OAUTH 2.0 Playground to use in the "API Explorer". I am pretty sure I didn't use the correct OAuth scope either. In any case, maybe I can try using an API Device List in OAUTH 2.0 Playground but haven't figured it out yet.
Seems to be easier to find and use in "API Explorer". But when I use the Auth Token in API Explorer, devices.list in
GET https://cloudidentity.googleapis.com/v1/devices,
which I acquired through OAUTH 2.0 Playground, I get the error:
"Request had insufficient authentication scopes"
I get the same error in OAUTH 2.0 Playground if I try to use that same API request in OAUTH 2.0 Playground. But simply cannot find the following OAuth scopes, which the API explorer says is required for this particular API request of
"GET https://cloudidentity.googleapis.com/v1/devices"
I am just looking to try this out (obtaining a list of chrome devices through the Google Cloud API), which I know our organization has in our admin console.
I have not activated a Google Cloud Trial yet, so maybe that is the problem. I don't really know if the API Explorer or OAUTH 2.0 Playground requires that.
Maybe there is a different API request to accomplish what I am looking to do.
Maybe there is a different way to obtain an access token. I have gone in the google cloud console,
https://console.cloud.google.com
created a project, and created an API Key, and an OAUTH 2.0 client.
Any help would be appreciated.
Thank you.
Let's say we're developing an editor add-on (meant for publication) that does not need to interface to third party services (only to a self-developed API server, A). Does A need to implement OAuth i.e. issue tokens and so on, or is it sufficient to use the OpenID token received from Google with ScriptApp.getIdentityToken() as authentication for A (as mentioned at the bottom of [1]) ?
When the users start the plugin, they will anyway be faced with an OAuth consent screen, which mentions the scopes given in the addon's appsscript.json manifest file.
I don't find the requirements listed in the developer guide [1] clear when they mention "non-Google services".
In other words, will the Google security review fail my add-on if my API server A does not implement OAuth?
Thank you for any clarifications.
Edit : I'm not concerned with sensitive scopes.
[1] https://developers.google.com/gsuite/add-ons/how-tos/non-google-services
First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.
I am making an addon (sidebar addon to Google Calendar) and the addon needs to call an API hosted behind a Google IAP (Identity Aware Proxy). IAP requires an openid token, and the id token needs to be granted from Google's OAuth2 service by using the audience parameter. I can get this working by including this oauth2 library, however the user has to login twice. First to the addon, and second to the IAP service. Since both logins are to Google, and with the same user, it seems possible for them to only need to login once. The ScriptApp service in apps script has a function getIdentityToken(), but that token doesn't work with IAP because it didn't use the audience parameter while generating the token. Does anyone know of a way to call IAP with a token derived from ScriptApp so that the user doesn't have to login twice? Without direct access to the refresh token, I wouldn't be able to create an id token with the audience parameter myself.
This is currently not possible. You, as a user, will have to undergo two different OAuth authentication flows in order to be able to use IAP within your application.
This is, as you properly described, due to the Add-on current authentication flow (which does not allow you to include the "audience" parameter) and the inability to retrieve the refresh token from the current session.
If you are interested in the possibility of being able to include your IAP as part of the Add-on authentication flow, I suggest you submit a feature request to Google's Public Issue Tracker (https://issuetracker.google.com/issues).
I need this for a Metro Style app, which can't use Passive authentication, and doesn't have WIF.
So far I've managed to get a SAML token from ADFS 2.0.
I now need to send this token to login.MicrosoftOnline.com, which will return me an SWT token to give to [mysite].sharepoint.com, which will give me cookies to include with REST requests.
ADFS 2.0 and login.MicrosoftOnline both talk WS-Trust. I've found many samples on the web that shows how to send the token request to MicrosoftOnline, but they all rely on sending the username and password along. In this case, however, MicrosoftOnline doesn't have permission to authenticate the password directly. My only option is to give it the SAML token.
The username and password I'm using works fine when using passive authentication, so the credentials is not the problem.
Samples can be in any language (except klingon), but .Net is preferred.
A bit late, I did not see your question until today. I did manage to send a saml token to Sharepoint online with this code (using usr/pwd): http://sharepointwinrt.codeplex.com/
Maybe it will give a starting point for you.
Cheers,
Juanma