AADSTS65001: The user has not consented to the requested scope - javascript

I'm trying to use the adal.js experimental libraries to authenticate a user and obtain an accessToken for their Office 365 Calendar.
My web page uses implicit flow and JS implementation (not the adal-angular.js libraries).
I have passed in the scope of https://outlook.office.com/Calendars.Read. This prompts the user for consent.
Once accepted, the libraries return the id_token to the web page, I then have a button which invokes the AuthenticationContext.acquireTokenSilent function which makes the call to obtain an accessToken.
This call results in the error:
"AADSTS65001: The user has not consented to the requested scope."
I'm a bit lost at this point, i've tried to pass in other scopes which also result in the same error. I've inspected all of the calls to the oauth endpoints (mentioned here).
Is this a limitation of the v2 App Model? Or is their something missing here? I know that it mentions that implicit flow in a limitation of the v2 model, however the previously mentioned article seems to contradict that.

I have encountered the exact error message by using ADAL to authenticate Office 365 graph API, and I successfully resolved it by re-installing my Chrome. Basically using ADAL.js in a non SPA web solution would not work, because the recommended authentication flow for web application is authentication code flow. The key point is not to use IE. The below example contains the reasons which I referred: https://github.com/OfficeDev/O365-JQuery-CORS

Related

How to authorise a web app written in plain Javascript to talk to Google AutoML Prediction Model Restful API?

There seems to be a lot of documentation lying around everywhere about how to use Google Cloud Platform and its fancy AutoML service. But I couldn't find anything that is solving my problem of trying to get a prediction from a trained model on AutoML via a local website. The website code is in this link: https://pastebin.com/xsfkYf6C
All I get in return from uploading an image and clicking "process" button on this site is:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I surely have made some mistakes somewhere, but I'm completely clueless as to how I would fix this or maybe because I'm just too dumb to figure it out yet. My research has yielded none to very little results. This article might be of some help to clear things up about AutoML Restful API: https://cloud.google.com/vision/automl/docs/reference/rest/v1beta1/projects.locations.models/predict
Appreciate any of your suggestions and code fixes.
Thanks so much and have a great day!
You need to pass your api key to REST API call like this:
https://automl.googleapis.com/v1beta1/projects/a...1/locations/us-central1/models/ICN...1:predict?key=API_KEY
To create an API key you need a Google Cloud account since it's only free up to a certain point and then you will get charged for.
Therefore you should secure this key and make sure it is not visible publicly(so don't put in your html source code, backend should handle this call).
More details here
The error could mean that you are using an API Key or the token you provided is wrong/malformed. I think that creating a token using Playground, ServerSide, Javascript, etc. will fail due to there are not OAuth2.0 scopes for AutoML, maybe because is still in beta release.
Keeping in mind that a token generated from gcloud it works, I can suggest generating programmatically a token impersonating a service account to generate the token, this example contains all the pieces of the puzzle. This means that your user could generate a service account token on behalf of your service
Points to consider when executing the code:
Enable the Identity and Access Management (IAM) API.
Update the code according to your own configuration, project and json file.
Use the generic scope: https://www.googleapis.com/auth/cloud-platform as the jwt_scope.
IMPORTANT: The python code it is using urllib and httplib, which means that it could be translated to a POST requests with some extra effort (to be used in your javascript)
Let us know if it works for your specific use case!

Authenticate with Google on the web (javascript), consume on the server (.NET)

We have a web server using Google Sign-In to authenticater and authorize for API access (Classroom). We need the sign-in part, so we're using init() and signIn(). We cannot use authorise(). Also, we're not signin in with particular scopes, as we just need identify for normal usage.
The logged-in user can enable a feature that requires offline access on behalf of his/her account to the Google Classrom API. We call grantOfflineAccess() with two scopes related to Classroom to get an authentication code, which is stored for later.
On the server side, we have a gRPC service that doesn't expose any web front-end. We're using C#/.NET with the Google API Client libraries.
I implemented an IDataStore that can respond to TokenResponse requests by either calling AuthorizationCodeFlow.ExchangeCodeForTokenAsync with the above code, or return the last TokenResponse stored in the database. When (well, "if") IDataStore.StoreAsync is called with a new version (normally after a token refresh was required), it saves it again in the database.
My problem is that ExchangeCodeForTokenAsync returns me a TokenResponse without a refresh_token. This means the access_token is only valid for 60 minutes. I would need to intercept exceptions at the service call level to call ExchangeCodeForTokenAsync again (if that works!), instead of relying on the Google API Client Library handling refreshing automatically all nicely.
What could be preventing ExchangeCodeForTokenAsync from returning me a refresh_token?
Thanks.
Well, I found the answer in this other question.
The refresh_token is only provided on the first authorization from the user. Subsequent authorizations, such as the kind you make while testing an OAuth2 integration, will not return the refresh_token again. :)
I simply removed my app from my Google account's authorized apps, and my next ExchangeCodeForTokenAsync call returned me a refresh_token.

Invalid scope error when trying to access gmail api

400. That’s an error.
Error: invalid_scope
You don't have permission to access some scopes. Your project is trying to access scopes that need to go through the verification process. {invalid = [https:// mail.google.com/]} If you need to use one of these scopes, submit a verification request.
This is the error that I am getting when I flowed the tutorial in this link:
https://developers.google.com/gmail/api/quickstart/js
In the link they asked me to access webserver via python but I am using apache.
So in the step 1.f, Authorized JavaScript origins: am using the link http:// localhost instead of http:// localhost:8000. What might be causing the error??
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.

Twitter API changes and client-side javascript

I have a browser extension (google chrome) that fetches and displays some public tweets, based on user input.
I've been using the Search API just fine, but according to the API changes, I have to migrate to API v1.1 where authenticated requests via oauth is required.
I have no previous experience with oauth, but it seems like a bad idea to implement it in pure client-side javascript, as the consumer key/secret will be exposed.
If I implement the authentication via a browser npapi/ppapi plugin, will it provide the needed security ? or does this mean that I have to dump this project and simply move on ?
Thanks.
You need to obtain an access token so that you can read data on behalf of your users. This involves implementing Twitter's 3-legged auth, which is very similar to implementing Twitter sign in (which thankfully is well documented).
The link below will take you to Twitter's overview of the differences between the two approaches to authenticating. From there you can get to the code samples that you'll need to implement this securely yourself.
https://dev.twitter.com/docs/auth/3-legged-authorization

Facebook JS SDK does not need app secret to authenticate : How secure is it?

When I use Facebook's JS SDK to authenticate my app (using FB.init method) all I need is my App ID. It does not require my app secret and/or app key.
However when I used PHP SDK, it required my app secret (atleast the example I used to learn used the app ID and app secret both).
Is it secure and recommended to use the JS SDK for authentication ? How really does the authentication flow happen with the JS SDK ?
Thanks,
Vineet
I'm looking into how secure the authentication is also - I think things have changed since you asked this q, so perhaps this information was not correct when you asked.
The new version of the JS SDK uses OAuth 2.0. This is well documented - check out the OAuth 2.0 site for details.
Regarding the issue of whether the SDK needs the app secret - I'm having a little bit of confusion relating to this. On the app server side, the libraries indicate that the JS SDK signs the cookies using the app secret (see the function get_user_from_cookie in the facebook-python sdk) - however, it's completely unclear to me how the JS SDK can know the app secret. I'm guessing that it can obtain it dynamically from FB when it talks to FB directly in the authentication process, but I'm not sure.
(Edit: I think that the JS SDK gets the cookie signed with the app secret directly from FB - the JS SDK never knows the app secret).
Not fully answering your q, but perhaps shedding a little more light on how this works.
Another issue to be wary of is not to use the FB user object you get from the client for anything on the server side. This is because it would be really easy for someone make a script which instead of calling fb.api '/me' would send a "fake" JSON user object with another users ID to your app. If you're doing any kind of server side processing of the user then you really need to do some kind of server side authentication as well I think.
It's NOT safe, this is why you have the "Verify Fields" and "Not Verifying the Signature" paragraphs in the Advanced Registration document:
When you request facebook data, we
verify the form fields before
packaging them up in the
signed_request. This lets you assume
that all the data is genuine and saves
you from having to verify things. The
one problem that could arise, is a
smart attacker could change the form
fields and submit them to you, thereby
giving you unverified data.
Read that document for more information, I've also wrote a tutorial (an introduction about the plugin) and showed how to handle the fields attribute coming from client-side.

Categories