Microsoft Identity Platform - identity

I have two web apps that need to be SSO enabled. How do I do that in Microsoft Identity platform?. Is there a way to generate two access and refresh token from MSAL and then give access to the API's in Azure AD?

Start by reading through the documentation for Microsoft identity platform and then try some of the samples. Here is a link to the web app samples which will sign-in users but also have incremental tutorials to call Microsoft Graph or your own web api.

Related

Exchange app permission is removed from Azure Portal

As per the MS forum https://techcommunity.microsoft.com/t5/exchange-team-blog/outlook-rest-api-beta-and-outlook-rest-api-v2-0-deprecation/ba-p/1898162, Exchange app permission "full_access_as_app" has been removed from the Azure portal. We are using this permission to access\fetch MSTeams data via Exchange Web Service API. We are planning to switch to Graph API from EWS but on Graph API, the chat list API not being supported, we could not switch to it.
That permission being removed - will it impact our existing app? I mean, our Azure Portal App uses this permission and our customers have already granted the consents so will that change impact our customer? Is there any timeline when that Exchange permission will be deprecated or will stop working? Is there any other alternative to this permission as a workaround?
The main reason for asking this question is: just recently MS has deprecated Basic Authentication to EWS so we switched to Modern Authentication (Oauth 2.0) to connect EWS where we had to use that Exchange app permission "full_access_as_app".
Now, that permission is not available for the newly created Azure App. Is this a move towards moving away from EWS and switching to Graph API?
The permissions are still available for new apps (even in the Azure portal if you go though API my organization uses and select "Office365 Exchange Online"). Also in the documentation link in that article https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth they give a manual way of doing this through the manifest.
Now, that permission is not available for the newly created Azure App. Is this a move towards moving away from EWS and switching to Graph API?
Microsoft have been encouraging this move for quite a while (years) but no announcement have been made about the depreciation of EWS and given that for a lot of things (Migrations etc) there is no alternative in the Graph yet it won't be in the near future. And if it does eventually happen you should get at least a year or more notice. That said if you can use the Graph API you should be looking to move to it.

GCP project created by an app authorized by me, but I do not have access to it?

I'm developing some automation/integration between a CRM software and my google account. I am attempting to use the Google Apps Script API so I can remotely execute functions in Google Apps Script through the integration I'm building from within the CRM software.
The only problem is, when attempting to run a function which calls a GAS function through the API, I get the following error:
"Apps Script API has not been used in project project number before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/script.googleapis.com/overview?project=103424032563 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."
This would normally be no problem, as I would simply access the GCP portal through the link and enable the GAS API, but when I try to access my project, I don't have access at all, and get the "failed to load data" error.
Further complicating my issue, GCP support will not help because they suspect I am a hacker trying to obtain access to a project that, for all they know, isn't mine.
And because I cannot access this project to authorize the API, I also cannot associate my google script with the same project, as this is a requirement for the Google Apps Script API to function.
I suspect it's the CRM software piece in which I'm developing this integration that is causing this error, (somehow the GCP project is being created by a different user,) but they haven't been all that helpful in determining what's going on.
Have any of you had a similar situation? And, if so, how did you approach solving it?
Further complicating my issue, GCP support will not help because they
suspect I am a hacker trying to obtain access to a project that, for
all they know, isn't mine.
Google Support does not refuse to help. They don't accuse you of being a hacker. Google Support can look at the project and see if you have credentials in the project and if you do they can explain how to authorize yourself. However, Google Support requires a support agreement, which is not free. If you do not have one, then you are not entitled to technical support only billing support. Look up your billing account ID and send a request for billing support. Your billing account will also show you which projects are linked to your billing account.
The issue is that you are trying to access the wrong Project ID. Figure out what is the correct Project ID. If you have the Cloud SDK installed execute this command gcloud projects list and this will tell you which projects your credentials have access to.

How to use Google Identity Toolkit to connect to Google Drive API?

I want to use Google Identity Toolkit to sign up and authenticate my users. In another part of my app, I want to use the Google Drive API to allow users to choose media files to link with their profile.
Will setting up GITKit make it easier to use the Drive API? Can I share credentials (i.e. API key) between the two services? Are they totally separate? I'm pretty confused so any help would be appreciated.
First of all, please consider to use Firebase Authentication, which is the new version of Google Identity Toolkit.
In both Firebase Authentication SDK and Google Identity Toolkit SDK, your app can specify the Google Drive scope when initializing the Google provider. In this way, once the end users sign into your app with Google, your app can get the Google oauth2 access token that has the permission for the Google Drive scope. Your app can call Google Driver API with that access token, without prompting the user.

Is it possible to determine user profile using Chrome Extension API?

Is it possible to determine which user profile is logged in Chrome from my custom extension using Chrome API?
Thanks!
There is no Chrome-API for that, the best (any only) way is to use oAuth:
https://developers.google.com/accounts/docs/OAuth2
UPDATE:
Yesterday Google has published news about the Identity API at the Chromium blog.
The Identity API may only work with packaged Apps!
Identity API
The Identity API allows packaged apps to authenticate users securely
using OAuth 2.0 without the user having to provide a username and
password directly to the app. The Identity API supports authentication
using Google Accounts as well as third party providers such as GitHub
and Foursquare.
The Identity API also gives packaged apps secure access to Google APIs
such as Google+, Calendar and Drive. As an example, Google Keep uses
the Identity API to authenticate users as well as to call the Google
Drive API to save notes to Drive. The Identity API uses a webview
based UI to show the OAuth consent dialog and when the Google+ API
scope is used, it allows users to control who can see their activity
on the app.
Source: http://blog.chromium.org/2013/07/richer-access-to-google-services-and.html
Documentation at developer.chrome.com: https://developer.chrome.com/trunk/apps/app_identity.html
If it's possible to do so, consider writing a Chrome packaged app instead. The Identity API will give you the information you need.

Lotus Notes integration with a Java Portal Platform

I am using a Java based Portal Platform. I need to show within my portal information stored in Lotus Notes. Considering security issues, what are the recommended ways to do this?
Are there any open source JSR 168 portlets out there that integrate with Lotus Notes?
From my portal platform, I can call web services to get this information. Is this recommended? If so where can I find information about web service APIĀ“s available for Lotus Notes?
Are there any java components that I can install on my portal platform that will make available a java API to access Lotus Notes information?
You have two main options.
First you can talk to Domino (Notes is the client, Domino is the server) directly using the CORBA java interface over IIOP. This will give you full access to the Domino object model and allow you to write the code to do whatever it is you need to do in your java platform.
Secondly you could go over web services. This will be much easier to set up, but you will have to deploy code for what ever it is you want to do on the Domino server. In ND7 and up Domino will build all the web service elements for you from a WSDL or method stub.
From a security point of view, the user connecting to the service will need to be authenticated with Domino. This could be a system account or the actual user if you can proxy the login through.
Another angle I've seen is to just proxy HTTP calls through the portlet to Domino.
Assuming you have SSO setup between portal and domino the simplest solution is to use the Notes View Portlet included with portal. If you need to show the data in a more customized format then I would suggest to use portlet factory. If neither of the previous work for you then you should be able to develop a custom portet using RAD and the notes java api.