This is v6 of the REST API.
This is the same auth token that created the agreement in the first place, not even a minute after creating the agreement. Said auth token has a scope of "agreement_read agreement_write webhook_read webhook_retention webhook_write".
I'm on a developer account, if that matters.
Related
This is app api permissions
api permission
This is OAuth 2.0 authorize URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=6cd61515-b6d8-486e-b729-8b2243f85e6d&scope=https%3A%2F%2Foutlook.office365.com%2FEWS.AccessAsUser.All&redirect_uri=https%3A%2F%2Foauth.pstmn.io%2Fv1%2Fbrowser-callback
I can get token using my work account.
work account
I can not get token using my personal account.
personal account
Anybody know why?
According to the answer in Microsoft Q&A, personal account is no longer supported by EWS, so the scope is invalid.
Am trying to access forge api endpoint using 2- legged authentication token, but at certain point of time my token becomes invalid or expired. Is that any option to refresh/ increase token expire time in 2- legged authentication process?
For 2-legged token, once they expire, you have no choice but to request another one. That being said, I think this will be managed for you if you use one of the forge/design-automation sdk.
I am making an addon (sidebar addon to Google Calendar) and the addon needs to call an API hosted behind a Google IAP (Identity Aware Proxy). IAP requires an openid token, and the id token needs to be granted from Google's OAuth2 service by using the audience parameter. I can get this working by including this oauth2 library, however the user has to login twice. First to the addon, and second to the IAP service. Since both logins are to Google, and with the same user, it seems possible for them to only need to login once. The ScriptApp service in apps script has a function getIdentityToken(), but that token doesn't work with IAP because it didn't use the audience parameter while generating the token. Does anyone know of a way to call IAP with a token derived from ScriptApp so that the user doesn't have to login twice? Without direct access to the refresh token, I wouldn't be able to create an id token with the audience parameter myself.
This is currently not possible. You, as a user, will have to undergo two different OAuth authentication flows in order to be able to use IAP within your application.
This is, as you properly described, due to the Add-on current authentication flow (which does not allow you to include the "audience" parameter) and the inability to retrieve the refresh token from the current session.
If you are interested in the possibility of being able to include your IAP as part of the Add-on authentication flow, I suggest you submit a feature request to Google's Public Issue Tracker (https://issuetracker.google.com/issues).
I am calling the app script execution API from my web app. I am getting ScriptApp.getOauthToken() and storing it inside sheet. When I open my web app I will get the stored access token and calling the execution API with the help of it.
But the problem is, after some time the token is getting expired and it is saying
authorization is required
when I call execution API.
Is there any way to keep access token alive or refreshing it whenever is needed?
I. You cannot and you should not. At least not natively
There is no native Google Apps Script service method for obtaining and exchanging a refresh token (and you would need one if you want to refresh an expired OAuth 2.0 token) for a bearer token. That said, there is no practical reason in storing the short-lived token obtained via getOauthToken method - if a user authorized your application, you can request a token on the fly each time you need to make a request.
II. If you still want to, use a library
There is an officially endorsed library for Google Apps Script that manages OAuth 2.0 flow for you. When using it, you can obtain a refresh token if you set the offline access to true when issuing the token.
III. If you really want to DIY, you can always make your own flow
It is possible to perform a complete Oauth 2.0 flow (both with and without user interaction) by using only the native tools by building a custom JWT token and exchanging it with Google Identity Platform endpoints. But that means you will have to manage everything:
Build JWT custom token headers and payload, then base64 urlencode them and sign with an appropriate signature and concatenate into a token.
Exchange the custom JWT for a short-lived bearer token, validate it and extract expiration time, then persist the token.
Each time you get the token from storage, check for the expiration time, and reissue the token again using the procedure in point 1 - 2.
Handle token revocation (note that you will not be able to invalidate it from Google's servers, only in your application).
And many more caveats along the way.
Note that the token cannot be "kept alive", it goes against the idea behind the OAuth protocol - the lesser the lifespan of an individual token, the better the security of your application.
I'm in the middle of developing an application that integrates Box with an identity management environment for the purposes of SSO and user lifecycle management. Basically, our users use SAML to sign into their Box accounts, and then the status of their Box accounts is managed based on the status of their corporate accounts - if we terminate a user, the user's Box account needs to get disabled. This is one of many use cases that were in progress before the OAuth2 change.
Prior to the OAuth2 change, I was able to authenticate my enterprise admin account with the api_key and auth_token. This worked very well.
Now, with OAuth2, I'm not sure how to proceed. There is no UI for this at all, and I have no place to handle a redirect for the authorization token. Moreover, this is a nightly process that runs using the enterprise admin account, so I would have to get a new refresh token and bearer token every time this runs.
This doesn't make a lot of sense for my use case. Is there an alternative?
I am busy writing the same code with the same frustration as you have. However the refresh token does live for 14 days and what I plan to do is store the returned values encrypted in the registry. Each run my first action is to refresh the bearer key.
There however is no current timeline on the phasing out of the V1 Auth method and since some of the Enterprise stuff is yet to be ported to API V2 I suspect that if enough Enterprises push the BOX API team for a solution on this I am sure they will listen.
If I am honest I prefer the OAuth2 solution as it stops the key to your whole Enterprise data been sent in clear text across the internet as a URL param in API V1 and if someone did manage to break the SSL then only get a access token that is worth 60 mins max.
Not sure what language your writing the routines in but I am working with the API V2 SDK written by John Hoerr on GitHub and apart from a few little issues that he has fixed straight away from a .Net perspective it makes hitting the API a much more pleasant experience with all the de\serialisation handled by the SDK.