I'm trying to create a chat bot using the Bot Framework with Python. I had this working a few days ago but now I'm getting an error when I test in Azure web chat: KeyError: 'access_token'. This problem is reproducible using sample code from here.
If I remove the app ID and password in config.py and test with the Bot Emulator on localhost then it works fine. When I change these variables to the correct values and test through ngrok it fails with the same exception.
I tried checking the credentials with curl as described here and it returned this error.
{
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier 'd720efc0-d9a3-4c7a-86ab-deed1a27739c' was not found in the directory 'botframework.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: de49aeb5-f200-4427-89f9-973fe2d10701\r\nCorrelation ID: 400d7c55-5854-44a6-a1f1-5a1eb74889da\r\nTimestamp: 2021-04-28 00:00:44Z",
"error_codes": [
700016
],
"timestamp": "2021-04-28 00:00:44Z",
"trace_id": "de49aeb5-f200-4427-89f9-973fe2d10701",
"correlation_id": "400d7c55-5854-44a6-a1f1-5a1eb74889da",
"error_uri": "https://login.microsoftonline.com/error?code=700016"
}
That sounds like the App ID is wrong, but I verified it by copying the Microsoft App ID from the Azure portal, Bot Channels Registration, configuration page. I guess it's possible I have the wrong password, but if that's the case I don't know how to change it.
May be check Messaging endpoint (ngrok url its correct or not)
Changing password
Azure -> Bot Channels Registration -> configuration -> Micrsoft Id(Manage) Click Manage link
Client secrets -> New Client secret
Related
Due to the deprecation of some of MS's services, I need to migrate the login method for an unattended script. The script is currently set up to log in to the service using Basic Auth username/password, but now must go through something like MSAL to accomplish this.
Again, this will be an unattended script so it cannot accommodate any interactive prompts.
According to docs, ROPC (while "not recommended") is documented as not requiring any UI. However, when I try to acquire an access token using this method, I get the following:
>>> app = msal.PublicClientApplication(client_id, authority=f'https://login.microsoftonline.com/{tenant_id}')
>>> app.acquire_token_by_username_password(username, passwd, scopes=['Mail.ReadWrite'])
{
'error': 'invalid_grant',
'error_description': "AADSTS65001: The user or administrator has not consented to use the
application with ID '...' named '...'. Send an interactive authorization request for this
user and resource.\r\n...",
'error_codes': [65001],
...,
'suberror': 'consent_required'
}
I have also tried to use the API directly:
POST
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
body:
{
"client_id": "{client_id}",
"scope": "https://graph.microsoft.com/mail.readwrite",
"username": "{username}",
"password": "{password}",
"grant_type": "password"
}
Response same as above.
I have set Delegated permissions in the App registration (but there doesn't seem to be a way to grant admin consent here).
The response message suggests this type of request requires an interactive prompt, but the documentation explicitly states this is a non-UI authentication flow.
What am I missing?
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the API permissions granted to the Azure AD Application is not consented by the Global Admin.
To resolve the error, make sure to Grant Admin Consent to mail.readwrite permission like below:
After Granting the Admin Consent, I am able to generate the access token successfully like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:f2e61f2e-7340-4f37-9dac-XXXXXX
scope:https://graph.microsoft.com/mail.readwrite
username:rukadmin#XXXX.onmicrosoft.com
password:****
grant_type:password
Alternatively, you can make use of the below endpoint and sign in as Global Admin and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
You can also make use of Interactive Grant Type and allow the users to consent to the application accessing their account by doing the below setting:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions
I am trying to set up SAML Single Sign-On (SSO) with my Django app, but I am getting an error when I try to login to my app.
I go to the app url, Microsoft processes the request (the url displays microsoft.loginonline.com/etc briefly), and then I get redirected to this page:
https://my-app.azurewebsites.net/.auth/login/aad/callback
which displays this error:
{"code":400,"message":"IDX10501: Signature validation failed. Unable to match keys: \nkid: '[PII is hidden]', \ntoken: '[PII is hidden]'."}
The reply url is set to:
https://my-app.azurewebsites.net/.auth/login/aad/callback
I did the set-up following both the Azure docs and following this documentation: https://django-auth-adfs.readthedocs.io, it's ostensibly working on my localhost, just not on the actual azure app service... I am unsure of what I am doing wrong, and the error message is not very informative for me as I am new to back-end programming and cloud.
Any help is appreciated, thanks!
As stated by you, you have configured SAML SSO with Django app in the backend and encountering the said error while logging in. As per the error reported, the ‘PII value is hidden’ due to which the signature keys couldn’t be validated by the AAD. So, you will need to add some strings to your ‘settings.py’ file to notify the Django web app the returned value of token from AAD. Please find the below strings to be added to the respective file: -
Please add the below string to AUTHENTICATION_BACKENDS section in ‘settings.py’ file.
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
After adding the above string to the said file, the app should work and so the SSO too.
Also, please find the below link to a similar thread for your reference: -
JWT token authentication fails with message "PII is hidden"
Thanks
I have recently deployed python web application to Heroku platform that takes advantage of Google-calendar API. I was able to gain events list from calendar using OAuth 2.0 credentials but web application domain verification isn't required in such cases in general. In opposite was with push-notification feature that requires either domain verification and HTTPS request sent to Google API to activate it.
When I try to execute the HTTPS request using watch metod
with code:
body={
"id": "<specified_uuid_read_from_file>",
"type": "web_hook",
"address": "https://<heroku_application_id>.herokuapp.com"
}
events_result = service.events().watch(calendarId="primary", body=body).execute()
I get this response:
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/calendar/v3/calendars/primary/events/watch?alt=json returned "Unauthorized WebHook callback channel: https://<heroku_application_id>.herokuapp.com">
I have already done:
Verified domain https://<heroku_application_id>.herokuapp.com via Google Search Console by uploading html file.
Added this domain to Google Api "Domain verification" tab.
I would like to know what could be other possible resason than domain verification issues resulted from inappropriate Google authoriztion process and how to fix it?
Thank you in advance.
EDIT:
Eventually I was able to gain access by renewing Google API credentials. Everything works fine for now. Nevertheless I can't still explain what could be actual problem which caused this error.
I am trying to authenticate an Azure app that has application-level permissions. All the permissions have been granted by an admin, and the app has both a client id and a client secret. I'm running the following code based on the Daemon-api documentation from Microsoft graph:
import msal
config = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": CLIENT_ID,
"scope": ["https://graph.microsoft.com/.default"],
"redirect_uri": REDIRECT_URI,
"client_secret": CLIENT_SECRET
}
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential=config["client_secret"] )
result = app.acquire_token_silent(config["scope"], account=None)
import logging
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
If I print result though, it says the following:
{'error': 'unauthorized_client',
'error_description': "AADSTS700016: Application with identifier [IDENTIFIER] was not found in the directory 'microsoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: [TRACE ID]\r\nCorrelation ID: [CORRELATION ID]\r\nTimestamp: 2019-08-28 17:14:39Z",
'error_codes': [700016],
'timestamp': '2019-08-28 17:14:39Z',
'trace_id': [TRACE ID],
'correlation_id': [CORRELATION ID],
'error_uri': 'https://login.microsoftonline.com/error?code=700016'}
The app has existed for several days and as I've mentioned, it has had all its permissions authorized by an admin. How come I'm still getting an "unauthorized" error? I check my id and secret, they're correct.
I wonder if it might have something to do with the fact that the error message says it's being sent to the microsoft.com directory? But the only microsoft information I provide is in authority and scope which the api says is needed as-is. I don't see anywhere to provide a directory id. Could that be the issue? If so, how would I rectify it?
Authority field in your config should be
https://login.microsoftonline.com/<directory_id>
I'm trying to get Flask-Mail setup on in Flexible ENV on Google App Engine. Flask-Mail works on my localhost using the credentials for a domain I am trying to use to send the mail. However, when using it on GAE through my API it returns a 502 error, however it shows no error messages in the logs or console. Going through the documentation for GAE Flexible it doesn't mention anything about NOT being able to use it, however it doesn't show how one would setup Flask-Mail either.
I have this..
mail = Mail()
print('1') // We Get here
msg = Message("Hello",
sender="me#mydomain.com",
recipients=["me#mydomain.com"])
print('2') // We get here
msg.body = 'Testing'
print('3') // We get here
mail.send(msg)
print('4') // This never gets call because I timeout on a 502 before this
I can tell I am not getting any fatal errors because the app stays working. However this fails with the 502. I have tried adding my email to the list of authorized senders but it doesn't seem to have helped.
I would appreciate any feedback. If I forced to use a 3rd party service to send mail it may cause me to move the project off of GAE.
As Ivan posted on his comment, to send email from a GAE app you need to use a mail service. Right now there are 3 options for apps on a flexible environment: Mailgun, MailJet and SendGrid. Choose the one you see better for your app.
After setting up an account on the mail service you have chosen, you have to prepare your code by integrating the parts related to the mail service.
These tutorials should help you establish the mail service for your app:
Mailgun
MailJet
SendGrid
I've had the same error but on a virtual machine on the internet ( linode service ) and it turned out that it has some thing to do with rDNS and some domain name config that you have to set up for your Ip address to get things working correctly , check this
https://www.linode.com/community/questions/19082/i-just-created-my-first-linode-and-i-cant-send-emails-why