search

OneDrive / onedrive-api-docs

Official documentation for the OneDrive API
MIT License
457 stars 231 forks source link

OneDrive.js and File Picker SDK support in German Cloud #1034

Closed liamfrawley closed 1 year ago

liamfrawley commented 5 years ago

Category

I am developing an application that must work with the MS OneDrive Global Cloud and also the German Cloud. My application requires OneDrive.js File Picker SDK. Currently, the application works with the MS Global Cloud and I'm in the process of getting it to work with the German Cloud. I load OneDrive.js from here for the MS Global Cloud: https://js.live.net/v7.2/OneDrive.js

Is there a .de equivalent location for this resource?

Thanks

ghost commented 5 years ago

Thank you for your contribution to OneDrive API Docs. We will be triaging your incoming issue as soon as possible.

KevinTCoughlin commented 5 years ago

@liamfrawley to my knowledge we don't currently have the scripts hosted on a .de domain, but I'll double-check.

Is self-hosting an option? I am not a lawyer, I need to see what the guidance is internally.

If you have any references for comparison that would also help, preferably Microsoft products. If not only for the hostname.

Thanks for raising awareness to this.

liamfrawley commented 5 years ago

Thanks for the response @KevinTCoughlin

Yes, self-hosting is an option for sure. Can you clarify we can do this?

It's not just the hosting of OneDrive.js on a .de domain that we're looking for. It's also the MS servers that OneDrive.js communicates with. For the German Cloud, all servers OneDrive.js communicates with must be in the German Cloud as the user data only exists there and doesn't exist on the MS Global Cloud. From what I can tell, this OneDrive.js is hard-coded to communicate with the MS global cloud.

Is there a way of using the existing OneDrive.js against the MS German Cloud?

KevinTCoughlin commented 5 years ago

I think we were able to get the auth flow to work by modifying the currently hard-coded endpoints in the Picker against a test tenant in the German cloud. It seems like if we parameterize these constants we'd open up support for this.

I'm new to the space truthfully, so I need to talk with additional folks in the team. The Picker predates this support, but if we can easily add it.. I'm all for it!

diff --git a/../../src/Constants.ts b/../../src/Constants.ts
index ba7f949..0520e8e 100644
--- a/../../src/Constants.ts
+++ b/../../src/Constants.ts
@@ -13,7 +13,7 @@ class Constants {

     public static CONSUMER_URL = "https://api.onedrive.com/v1.0/";
     public static CONSUMER_ENDPOINT_HINT = "api.onedrive.com";
-    public static GRAPH_URL = "https://graph.microsoft.com/v1.0/";
+    public static GRAPH_URL = "https://graph.microsoft.de/v1.0/";
diff --git a/../../src/controllers/Oauth.ts b/../../src/controllers/Oauth.ts
index 34a81ae..965bcc6 100644
--- a/../../src/controllers/Oauth.ts
+++ b/../../src/controllers/Oauth.ts
@@ -31,8 +31,8 @@ const PARAM_ID_TOKEN = "id_token";
 const PARAM_OAUTH_CONFIG = "oauth";
 const PARAM_STATE = "state";

-const AAD_OAUTH_ENDPOINT = "https://login.microsoftonline.com/common/oauth2/authorize";
-const AADV2_OAUTH_ENDPOINT = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+const AAD_OAUTH_ENDPOINT = "https://login.microsoftonline.de/common/oauth2/authorize";
+const AADV2_OAUTH_ENDPOINT = "https://login.microsoftonline.de/common/oauth2/v2.0/authorize";
 const MSA_OAUTH_ENDPONT = "https://login.live.com/oauth20_authorize.srf";
 const OAUTH_RESPONSE_HEADER = "[OneDriveSDK-OauthResponse]";

@@ -138,7 +138,7 @@ function buildAADOauthUrl(config: IOauthConfig): string {
 }

 function buildAADOauthV2Url(config: IOauthConfig): string {
-    const scope = "profile openid https://graph.microsoft.com/User.Read " + config.scopes.map((s: string) => "https://graph.microsoft.com/" + s).join(" ");
+    const scope = "profile openid https://graph.microsoft.de/User.Read " + config.scopes.map((s: string) => "https://graph.microsoft.de/" + s).join(" ");

     let url = appendQueryStrings(
         AADV2_OAUTH_ENDPOINT,

Thanks again for raising attention to this issue!

Here are the endpoints for the various sovereign clouds:

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud#azure-ad-authentication-endpoints

Some notes:

The Azure AD v2.0 authorization and token endpoints are only available for the global service. It is not yet supported for national cloud deployments.

And from https://docs.microsoft.com/en-us/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints

Important: If you already have an app in US Government and you're using the worldwide endpoint https://graph.microsoft.com, we recommend switching to the new https://graph.microsoft.us endpoint. Access to US Government data using worldwide endpoint is currently functional but will be disabled in near future.

Note: Apps can only access organizational data through the national cloud endpoints. This means that apps can only access data in tenants that are registered in the specific national cloud. Apps that are trying to access consumer data associated with Microsoft personal accounts through Microsoft Graph should use the global service https://graph.microsoft.com. Access tokens acquired for a national cloud deployment are not interchangeable with those acquired for the global service or any other national cloud.

cc: @margoflynn

liamfrawley commented 5 years ago

Thanks @KevinTCoughlin

We've tested the changes you have suggested to OneDrive.js and they work against the German cloud.

The Azure AD v2.0 authorization and token endpoints are only available for the global service. It is not yet supported for national cloud deployments. I've seen this comment also. We've tested AD v2.0 authorization and token endpoints on the German cloud and they do work. Does this mean the documentation is out of date?

KevinTCoughlin commented 5 years ago

Thanks @KevinTCoughlin

We've tested the changes you have suggested to OneDrive.js and they work against the German cloud.

The Azure AD v2.0 authorization and token endpoints are only available for the global service. It is not yet supported for national cloud deployments. I've seen this comment also. We've tested AD v2.0 authorization and token endpoints on the German cloud and they do work. Does this mean the documentation is out of date?

Awesome to hear that it worked @liamfrawley. I have a pull-request open to enable this support via advanced.endpointHint as part of the Picker's config that we'll hopefully merge early this week.

Regarding your question about the documentation, I also saw that and think that the documentation is stale because AADv2 does work in my testing.

Once Picker support is resolved I will work to update the documentation with the relevant team.

cc: @aditima @margoflynn

mbfgit commented 5 years ago

Thanks for the update. There's already an issue raised re: aadv2 documentation: https://github.com/MicrosoftDocs/azure-docs/issues/28661

moos commented 3 years ago

@KevinTCoughlin It's been a little over a week ;) - has the PR been merged? If not, any viable ETA or workarounds?

patrick-rodgers commented 1 year ago

As part of a repository clean up effort we are closing older issues. If this issue remains, please: open a new issue, reference this issue, and provide any additional details that may help in resolution. Thank you for your understanding as we work to improve our responsiveness.