Develop Reference

Forbidden error for Exchange Web Service request with Authorization Code Flow

The Exchange Web Service requests to https://outlook.office365.com/EWS/Exchange.asmx with the access token received by the OAuth 2.0 Authorization Code Flow results to a status code 403 Forbidden.
Steps:
Opening and authorizing the application with https://login.microsoftonline.com/common/oauth2/v2.0/authorize and the parameters:
Name parameter
Value
client_id
5fafd813-xxx
response_type
<redirect uri specified in azure>
respone_mode
query
scope
openid offline_access email https://outlook.office.com/Calendars.ReadWrite https://outlook.office.com/EWS.AccessAsUser.All
After authorization with my personal account, this redirects to the specified redirect uri with a code.
Generate a token via https://login.microsoftonline.com/common/oauth2/v2.0/token with the parameters:
Name parameter
Value
client_id
5fafd813-xxx
response_type
<redirect uri specified in azure>
respone_mode
query
scope
openid offline_access email <outlook url>/Calendars.ReadWrite <outlook url>/EWS.AccessAsUser.All
client_secret
6Mp8Q~4...RD
code
<code from the previous step>
This generates an access token and refresh token
Getting the Calendar Folder Id with a SOAP request by passing the received access token in Authorization: Bearer <access token>:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
xmlns:soap="xxx/soap/envelope/"
xmlns:t="xxx/exchange/services/2006/types"
xmlns:m="xxxx/006/messages">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2" />
<t:MailboxCulture>en-US</t:MailboxCulture>
<t:TimeZoneContext>
<t:TimeZoneDefinition Id="Eastern Standard Time"/>
</t:TimeZoneContext>
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:PrimarySmtpAddress>xxx#hotmail.com</t:PrimarySmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<GetFolder
xmlns="http://schemas.microsoft.com/exchange/services/2006/messages">
<FolderShape>
<t:BaseShape>IdOnly</t:BaseShape>
</FolderShape>
<FolderIds>
<t:DistinguishedFolderId Id="calendar">
</t:DistinguishedFolderId>
</FolderIds>
</GetFolder>
</soap:Body>
</soap:Envelope>
Unfortunately this results to 403 Forbidden
Is the scope of the authorization incorrect ? Is the SOAP request incorrect ?
Notes:
I tested the SOAP request without impersonation that changed nothing
I tested the SOAP request with the Client credentials flow and a private account onmicrosoft that worked correctly

Impossible to connect to SSO idp

I have a question. we have an app under symfony 5.4 which provide SAML connector via the OneloginSamlBundle bundle.
This app is installed is different customers.
Normally in majority of customers, when we connect to their idp, we have an answer like this :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
...
<saml:Subject>
...
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john_doe</saml:AttributeValue>
</saml:Attribute>
and we are able to map the attribute uid with the username in our application
The problem is we have with a customer which use AD FS is the response is like this :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... >
<Subject>
<NameID>john_doe</NameID>
...
</Subject>
And as in the bundle we have this code to retrive the attibute, it doesn't work
$entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute');
Do you know if AD FS could be configured to send a response with <saml:Attribute> ?

I find the solution :
customer added a claim rule (https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type/SAML_Setup_Guide_for_ADFS) with the good Attribute Name and even the xml message is without the saml: prefix, it worked

Apigee shared flow to validate token

I am using Apigee as gateway to our application. Several applications will hit Apigee and Apigee will in-turn route the request to backend servers. Every incoming request will have a JWT token.
I want Apigee to pass that token to a auth server and auth server will validate if the token is valid or not.
If token is invalid(if auth server return any status other then 200) , I want Apigee to return 403 error as response to request else pass the request to backend server.
How can I implement this kind of shared flow? Is it even possible with Apigee ? Is there any better way to achieve this?

You can do that.
Create a shared flow for Authentication/Authorization which includes ServiceCallout policy which will make a call to auth server.
Based on result for Unauthorized/Bad request you can raise a fault response with help of RaiseFault.
If the response is OK it will proceed smooth to backend.
Sample shared flow.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlowBundle revision="1" name="Auth">
<Policies>
<Policy>AssignVariableJwks</Policy> <!-- Assign Input values if needed via AssignMessage policy -->
<Policy>RequestAuthServer</Policy> <!-- Extrnal auth server call using ServiceCallout policy -->
<Policy>TokenNotFoundValidation</Policy> <!-- Validate response and raise fault if needed using RaiseFault policy -->
</Policies>
<Resources/>
<Spec/>
<subType>SharedFlow</subType>
<SharedFlows>
<SharedFlow>default</SharedFlow>
</SharedFlows>
</SharedFlowBundle>
For above shared flow create & attach required policies with logic and you're good to go.

JSON to Specific XML format convertion in Web API

I am going to build a Web API in ASP.Net Core,which Consist of Multiple external Api Calls.
My Api take the request and response as "JSON".But some External Api's only works with XML.Now,I am stuck with converting json to XML in an Api Scenario.More details as follows:
My Api Recieving Request as (Json):
{
"Credential":"mrtest:testpw123,
"BookId": 6,
"BookName": "XXX",
"BookAuthor": "yyy yyy",
"BookPrice":512
}
And I want to Post this same information to an External Api as:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:tns="http://kkr.eu/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<tns:Credential xsi:type="tns:CredentialPro">
<tns:UserName>mrtest</tns:UserName>
<tns:Password>testpw123</tns:Password>
<tns:UserID>4</tns:UserID>
</tns:Credential>
</soap:Header>
<soap:Body>
<tns:AddBookDetails>
<tns:BookId>6</tns:BookId>
<tns:BookName>XXX</tns:BookName>
<tns:BookAuthor>yyy yyy</tns:BookAuthor>
<tns:BookPrice>512</tns:Price>
</tns:AddBookDetails>
</soap:Body>
</soap:Envelope>
So I want to Convert Json to XML in above Format.
Is there Any way to do this Simply?
How I Build "tns:UserName,tns:BookId,.." Like tags from Json??
Also Confused About Namespaces including in XML tags.
As I am beginner on Web API Hope you guys Help me..

Apache Oltu Linkedin Integration example

I am looking forward to developed the Spring MVC + Apache Oltu + Linkedin integration example. In this example, you need to send Client ID and Client Secret to access the private resource from the Linked in Site.
First Step - we need to create App in Linkedin, follow the steps: http://codeboxr.com/how-to-create-linkedin-app.html
Once App is created, you need to make sure you've given value for the redirect URL.
In the java code I used
setScope("r_network w_share r_basicprofile")
setState("987654321")
When I used the following code:
request= new OAuthBearerClientRequest("https://api.linkedin.com/v1/people/").buildQueryMessage();
I get the following errror. Could anyone please?
Could not access resource: 401 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>401</status>
<timestamp>1429554559432</timestamp>
<request-id>QJWNLL5PWX</request-id>
<error-code>0</error-code>
<message>Unknown authentication scheme</message>
</error>
An important thing, I am getting correct details below, but seems accessing private resources:
{"access_token":"SQXZVmVM05AOzDB_DdBm5iaJkrEC8oK-FgE1m1snEZbMcKUODew9I0ZQ6NWc8JtGDxTtEd-yyPul0FtF3-hG4ah6LZ9P4oaSVuhhtybRFmjfsZcJwOs5Lm2IDUGQnjmq5EdT3PVR7Bocq31VBXg0JtkQdImab945oicO_w2j6CjlByp-bWw",
"expires_in":5108376}

It seems that you're successfully obtaining an OAuth 2.0 access token, you'll need to pass access_token in a query parameter when making API calls. That's how OAuth 2.0 authentication is handled (OAuth 1.0 required the access token to be in the header whereas OAuth 2.0 relies on a query parameter).
For example:
GET https://api.linkedin.com/v1/people/~?oauth2_access_token={your-access-token}
Please follow the link, if in case requires more details: https://developer-programs.linkedin.com/forum/unknown-authentication-scheme
If you send token along with the request to access protected resources, then you should be getting the following details.
The corrected code snippet:
request= new OAuthBearerClientRequest
("https://api.linkedin.com/v1/people/~?oauth2_access_token="+oAuthResponse.getAccessToken()).
buildQueryMessage();
In My Example, I am getting the following HTTP 200 OK response, just wanted to show you..
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<person>
<id>LLIyXMKhNI</id>
<first-name>FirstName</first-name>
<last-name>LastName</last-name>
<headline>Spring Developer at Amazon</headline>
<site-standard-profile-request>
<url>https://www.linkedin.com/profile/view?id=154416688&authType=name&authToken=ipNL&trk=api*a4360331*s4423501*</url>
</site-standard-profile-request>
</person>
Hope this will be help you.