I have a script (that I did not write) that uses basic authentication to access email boxes online. The script uses the following code:
from O365 import Connection
Connection.login(user, password)
It recently failed. Doing a bit of research I got the following error:
'Basic Authentication for Outlook REST API is no longer supported...'
I found some information on https://aka.ms/BasicAuthDeprecated:
Last year, we announced that in November 2018, we will stop
supporting Basic Authentication in the Office 365 Outlook REST API
v1.0 and this is a follow up announcement to reiterate that we will
be decommissioning Basic Authentication in Outlook REST API v1.0 this
month. This means that new or existing apps will not be able to use
Basic Authentication in v1.0 and Beta versions of Outlook REST API
starting December 2018.
If you have been using Basic Authentication in Office 365 Outlook REST
API v1.0/Beta in your app, you should immediately transition to
Microsoft Graph- based Outlook REST APIs to continue accessing
Exchange Online data.
Web authentication is not my strong suit and I'm not sure what I need to do here. Looks like some sort of registration/token generation is required.
You will need to use OAuth for authenticating with O365 as BasicAuth is not supported anymore.
https://pypi.org/project/O365/#authentication has details on the Python library integration with OAuth.
Circling back to this, so that others see this, the code example in the authentication section works:
from O365 import Account, FileSystemTokenBackend
credentials = ('id', 'secret')
# this will store the token under: "my_project_folder/my_folder/my_token.txt".
# you can pass strings to token_path or Path instances from pathlib
token_backend = FileSystemTokenBackend(token_path='my_folder', token_filename='my_token.txt')
account = Account(credentials, token_backend=token_backend)
# This account instance tokens will be stored on the token_backend configured before.
# You don't have to do anything more
# ...
When you run the code, it'll provide a url which you paste into a browser, and will provide a new url that you need to copy into code, which will authenticate and provide the token for further usage.
Related
I'm finding a way to automate the authentication from AAD with python.
In the past i used username and password for login to OneDrive and it worked properly. Here is the code:
pca = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY_URL)
token = pca.acquire_token_by_username_password(USERNAME, PASSWORD, SCOPES)
Now, that i have two factor authentication i cannot use the same code to access OneDrive account.
I've searched the internet but all the solutions that i found requires to open the browser, and i can't do this because python script is a chronjob and runs in the late night. I need a solution that works in "background" without any action required.
Possibly it's better if there is a solution with MSAL library due to some permissions that i should request if i would change the library.
Thanks for the help!
You might consider using the Client-Credentials Grant flow or OAuth2. You would have to modify your cronjob to move away from fetching a token on behalf of the user and update it to acquire a token as the application using the application's identity (the app registration done in AAD). Upgrading to client-credentials flow, which is actually designed for scenarios similar to yours, will help you in situations where you cannot afford user interaction and you want the service to work in the backend.
For more information on Client-Credentials flow, check here.
Also, you can refer to the following python app that implements client-credentials flow:
Call Microsoft Graph API using App Client Secret
Call Microsoft Graph API using App Client Certificate:
I am trying to download a file from a SharePoint Online data library via REST API which uses a multi-factor ADFS authentication, so far I found these posts (Post1, Post2) which talk about sending a SAML request to STS to receive a security token from https://login.microsoftonline.com/extSTS.srf, I have found multiple examples online which uses the same method to authenticate their requests. However, when I send the SAML request to the above Microsoft URL, I receive the error below.
AADSTS50126: Error validating credentials due to invalid username or password.
I have appropriate access to the SharePoint data library as I was able to get a valid response to an API request (to check available lists and not for authentication) when using a browser with authenticated session. Any idea on what I might be doing wrong or even if authentication is possible for MFA secured SharePoint library.
There is no official word in any Microsoft Documentation to confirm this. But MFA account + AAD token is not compatible.
You have to use a service account (username/password) without MFA enabled for it. This will work when you invoke the SPO web api using the service account for getting tokens.
When you have a browser session in open state, the token will be available in cookies & you will be able to access the library without issue. The same applies to POSTMAN or SOAP-UI testing.
Because MFA needs user interaction, this is not possible. Refer this github issue: Trouble spo login with an account with multi-factor authentication
We do "Application User" concept in Dynamics CRM for the same approach. Read more
Box.com supports different authentication method, OAuth2 and JWT. I'm currently using OAuth2 with develop tokens, which works just fine. The developer tokens expires within an hour so I can't use this in our production.
I'm using the python SDK to upload files to box, and there is no user interaction here at all. It seems like I can't use the OAuth2 authentication method since there is no users uploading (automatic script), am I right?
The JWT authentication method requires an enterprise id, which I can't find. I used this page as reference: https://box-content.readme.io/docs/box-platform
I've logged in as an co-admin in box, but can't find the enterprise id or Custom apps under the APPS menu.
Is there anything I have missed?
You have to use JWT to make server to server api call. you can find your enterprise ID in you Admin Console-->Enterprise Setting--> Account Info-->Enterprise ID.
I am trying to Authenticate O365 Mail Rest API using Python 3 urllib, I am not able to find any samples using basic authentication. When using browser it does ask for authentication through interactive windows. How to achieve the same using urllib.
The authentication based on oAuth requires a user interaction in order to authenticate:
The authorization code is sent back to the application after the user
has been redirected to the authorization end point and authenticated.
So no basic authentication, you have to go though the oAuth process.
A similar problem on the Google platform is handled in various ways, one of them being user-based authentication but there is also provisionning for token based ones (no user interaction)
I am working on a script to migrate from domain X to domain Y using Python Google Apps APIs.
For each account on my domain I need to export the mail from domain X and import it into domain Y.
I see that I can create an mbox file for each user account using the createMailboxExportRequest method. I then can download the mbox file(s) when it is ready.
Now how can I get the mbox file back into a Google account on domain Y? I need a solution in Python.
There are methods of migrating using the Email Migration API. This requires a RFC822 format email. I don't believe that is the mbox format.
I would hope there is a method in one of the APIs that can simply import the mbox file that Google exported.
The Audit API you referenced for export is not suitable for use here. From the ToS section 4:
Email Audit API The Email Audit API is not designed and should not be
used for general backup, archival, or journaling purposes. Google
reserves the right to prevent a customer from using the Email Audit
API in ways that might adversely impact the performance or usability
of the Email Audit API.
additionally, when using the Audit API, you do not get message state (read/unread, starred, labels, etc, etc).
You should be looking at Gmail IMAP as the method to connect and export messages. IMAP along with Google's IMAP extensions provide you access to all of the messages metadata (read/unread, starred, labelled, etc). You can authenticate via OAuth 2.0 with the Gmail IMAP servers.
Messages extracted via IMAP should be in RFC822 format and ready for submission to the Migration API (along with their metadata).
Got Your Back (GYB) is an open source Python script that uses OAuth (1.0 since 2.0 wasn't out when I wrote it) and Gmail-specific IMAP commands to backup and restore accounts. I used IMAP for the restore portion so that it'd be compatible with consumer Gmail account which don't support migration API. However, it may prove a good reference point for you.