We have a web page using microsoft single sign on. When we redirect the user to login to our application, we send them to :
https://login.microsoftonline.com/common/oauth2/authorize?scope=user.read&response_type=code&client_id=a5342222-a222-222d-87c3-222222222222&redirect_uri=${ourappurl}/office365handler
We want to be able to access the user's proxyAddresses (their alias emails) as often users are not using their upn to receive emails. When the user logs in, we are unable to call
https://graph.microsoft.com/v1.0/me?$select=proxyAddresses
as we get Access Denied.
Do we need to redirect the user to login.microsoftonline.com with additional scopes? If so, which scope do we need? We've gone over the docs but can't find anything relevant.
Thanks!
• As you are encountering ‘Access denied’ Status code 400 message after running the query in Microsoft Graph Explorer while retrieving the details of proxy addresses of the signed in users, you have not provided appropriate permissions to Microsoft Graph API for accessing and reading the users data in your tenant. To do so, please provide the below permissions to Microsoft Graph API and Explorer application and ensure that Admin consent is allowed for each permission requested below: -
Go to Azure AD in your tenant --> Enterprise Applications --> Graph Explorer --> Permissions --> In that, search for the below permissions and select them, please select these permissions under ‘admin consent’ tab as below: -
‘ Directory.AccessAsUser.All, Directory.ReadWrite.All, User.Read, User.ReadBasic.All, User.ReadWrite, User.ReadWrite.All’(These permissions are required at least to read users’ data in Azure AD)
Once, these permissions are granted, you will be able to run the graph query and gain the output correctly. Also, please find the below graph query to read any users’ proxy addresses through graph explorer.
' https://graph.microsoft.com/v1.0/users/user#domain.com?$select=proxyaddresses '
Can't login using Google Auth,
Error 403: org_internal
This client is restricted to users within its organization.
Go to cloud console (https://console.cloud.google.com/apis/)
APIs and services
Credentials
Oath consent screen
Ensure Application type is set to "public" and not internal.
Obviously assuming that you are creating an app that should be accessible outside your org. If this is related to testing and phones, it is possible to create testusers that are excepted from company policy rules.
The reason for this error is indeed because the Application type is set to "internal".
But setting it to public is not always the right answer...
Add "&prompt=select_account" to the authentication url. This will force the user to select the correct (organization-)account.
Without the parameter, Google tries to show the consent screen for the logged in Google-account, but as it is not an organization-account it will just display the 403 page without giving the user this choice.
https://developers.google.com/identity/protocols/OpenIDConnect#prompt
I had an Internal app that I was trying to authenticate with one of our YouTube channels using an organization account, and I was getting the same error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
After contacting Google Workspace Support, they asked me to Change the restriction on it from Limited to Trusted.
Steps are mentioned in this support thread: https://support.google.com/a/answer/7281227
Open the Google Admin Console.
From the sidebar menu, choose: Security → API Controls.
Click on MANAGE THIRD-PARTY APP ACCESS button.
Hover the cursor over the required app and click on Change access.
Choose the option: Trusted: Can access all Google services
And save the CHANGE.
Once you've done, take note that there will be 24 hours of propagation on it before it gradually takes effect.
Make sure, for the browser you are using, that you have logged out of "All" Google account(s). This should force the "select account" windows to display.
We have almost exactly the same problem while trying to configure WP Mail SMTP for Wordpress.
The OAuth Client's Application Type has to be "Internal" so changing it to "External" was not an option for us.
Hope this helps.
I had the same issue and in my case was because the project didn't had a support email address set it.
I fix it by adding one on the Firebase Console > Project Settings > General under the Public settings section.
This error is most likely due to the configuration of your application in Google Cloud Platform.
Setting your application to "internal" is causing this error. Try making your app "external" in the OAuth consent screen, but make sure it is in a "testing" status. Then, add yourself to the test users. This configuration will work well for an internal, lightweight application.
Once complete, try to authenticate with the channel again.
I had the same issue with a project. The error only appeared if I tried to log in to my app while already logged in with an account outside the organization (worked just fine while logged out of all accounts, or while logged in with an internal organization account). I had to change the OAuth Client's Application Type from Internal to Public in the Google Dev Console.
More info can be found at https://support.google.com/cloud/answer/6158849?hl=en
Maybe you have another google email to login, not the correct one.
I'm not able to publish a package for an authenticated user by using the username:password as an API key, as long the anonymous user does not have at least the "Feeds_ViewFeed" right.
But I don't want to have my packages visible for anonymous users. But I need to publish packages by an authenticated user.
Tested with the following configuration
ProGet is hosted by the windows service
Anonymous has no rights assigned
If I try to push a package I get the following error:
Pushing xxx to 'xxx'...
Please provide credentials for: xxx UserName:
Cannot prompt for input in non-interactive mode.
Tried as well to give the anonymous user the "Feeds_AddPackage" right and protect the feed by an API key. Doesn't work either without the "Feeds_ViewFeed" assigned to anonymous. As soon as "Feeds_ViewFeed" is assigned pushing with an API key works as well.
Is this by design, configuration error or a bug?
Any advice?
Product: ProGet
Version: 3.5.5
In my site administrator can view list all other online users.
Administrator can also disable any account from that list.
Everything was going fine so far. But now I decided to log out the user which is being disabled. How can I do a log out operation for a particular user from the above specified online user list?
NOTE: I'm using default membership schema for my SQL Server database.
You cannot logout a user from outside of their session. See Programatically logout an ASP.NET user for a possible workaround.
is there a way to get the list of currently listed developers on a face book connect application i want to use this to validate if a user is authorized to sublmit new contenet and create events through the connect website or do i need to couple this with a forms authorization account to handle permissions
or is there a better way over all to handle this
To check if a user is a developer of some specific app you can run such FQL:
select application_id from developer where developer_id=me() and application_id=<APP_ID>
To check if a user granted your app some specific permission you can use this FQL (not sure if this would be helpful in your case though):
select uid from permissions where uid=me() and <PERMISSION_NAME>=1
where <PERMISSION_NAME> is one of these.