I have 2 ASP.NET Core sites:
allow multiple users to sign in to the Microsoft Identity platform then cache their tokens in SQL Server
load the tokens to subscribe and receive Microsoft Graph change notifications, e.g. subscribe to calendar event changes in the default calendar of each signed in user.
Microsoft has a sample project that sorted out my token caching/loading need: Accessing the logged-in user's token cache from background apps, APIs and services.
For Microsoft Graph change notification, there is a REST API, but I'd like to know if there is a way to subscribe in the Microsoft Graph SDK.
The sample project shows a way to use ConfidentialClientApplication to load the token, this is fine as long as I stick to the REST API by attaching the bearer token in the header. However, I'd like to use the SDK so that I don't have to recreate all the classes to deserialize the response, plus all sorts of other data I need to get from Microsoft Graph after receiving the notification.
Microsoft officially has a user-use Microsoft Graph client library for .NET (SDK), which is used to call Microsoft Graph. You can refer to this official document.
https://learn.microsoft.com/en-us/samples/microsoftgraph/aspnetcore-webhooks-sample/microsoft-graph-change-notifications-sample-for-aspnet-core/
Related
I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.
I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?
Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?
You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .
Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.
You can then restrict what the API key in Firebase web config has access to:
However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.
Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).
It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.
So I started a test project with Golangg which I expore different technologies and got into some google firebase for authentication provider for users. I implemented the flow with registering users which require user/password. After that I wanted to do login (only backend vie rest api) turns out you can't since go verify user by user/password you need the google sdk works with iOS Android Web C++ Unity. The only work around i could do is get user by ID which i saved in my db then issue custom token, which then needs to be verified by method
signInWithCustomToken
but this is not implemented in the Golang lib, you need to call rest api for this
https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=[API KEY]
but there is a function for that in js. So if I only want to do the whole service backend I seems I can't do authentication with google Firebase.
How this whole flow should look like implementing only backend service?
On this page they explain Web Push with Service Workers stating
Chrome currently uses Firebase Cloud Messaging (FCM) as its push service. FCM recently adopted the Web Push protocol. and then explaining Firebase and so on...
Since the Service Worker gives me a unique endpoint and a pubkey, it seems to me that technically it should be possible to use that endpoint directly, without anything additionally - except if Google deliberally forces a registration.
I mean, just send a POST request to that endpoint, sending just the notification data encrypted/authenticated using the pubkey without any "VAPID".
Do I absolutely need a Firebase account or is it possible to access the endpoint directly (without additional registration) if I just want to send a notification to a single device?
It's 2021 and all major browsers implement a push service and support VAPID now. You use a web push library (Javascript, Python, C#,..) of choice.
There is no need to register anywhere.
The technical mechanism in short is this:
You generate two VAPID keys once using the push library. One key is private and one is public.
The public key is used in the javascript as "application server key" when subscribing to the push service of the browser.
If the subscription is successful you receive a subscription object from the browser containing an endpoint and two additional keys.
The endpoint is an address depending on the web browser / manufacturer and the service it is currently using. The endpoints look like (Oct 2021) e.g.
Google Chrome h_tt_ps://fcm.googleapis.com/fcm/send/cz9gl....., Microsoft Edge h_tt_ps://wns2-par02p.notify.windows.com/w/?toke....., Mozilla Firefox h_tt_ps://updates.push.services.mozilla.com/wpush/v2/gAAAAABhaUA....
If your server program has this information (endpoint and keys from subscription object) it can send a push message to the endpoint with the push library. The corresponding service in the web, hosted by the manufacturer sends this to the browser's service on the device.
There is the PushAPI which shall get used.
But it doesn't is supported by every Browser at the moment.
You can find nice examples in the Service Worker Cookbook of Mozilla
Everyone who successfully authenticates through Google account would be able to execute the API through the API Explorer.
I would like to limit the ability to execute the API through API Explorer only to some users. But at the same time have the API accessible for all users of my Android and iOS apps.
Security in the case of at least Android App is facilitated through the Android Client Id and SHA fingerprint. So, the scope here is to NOT include the App access security.
Identify that the request is coming through the API explorer. One way is through the origin/referrer in the headers. For obtaining header information see this question.
And,
If the list of users is known, in the endpoints method raise endpoints.UnauthorizedException if the user (endpoints.get_current_user()) is not in the list.
Python sample code:
if self.request_state.headers.get('x-referer') == "https://apis-explorer.appspot.com" and endpoints.get_current_user() not in MY_LIST:
raise endpoints.UnauthorizedException('Not Authorized')
Please provide some link or demo code for QuickBooks integration with ASP.NET.
I have App Token, OAuth Consumer Key, OAuth Consumer Secret.
You can get the developer documentation here https://developer.intuit.com/app/developer/homepage
First you need to signup as a developer and then have to create an app in the developer's dashboard: https://developer.intuit.com/app/developer/dashboard.
After creating an app you can get your client id and client secret in the app setting screen. Also you will find the sdk or similar code for your technology stack
here is a list of API endpoints from where you can fetch and post the data
https://developer.intuit.com/app/developer/qbo/docs/api/accounting/most-commonly-used/account