search

probits-as / MeetEasier

MeetEasier is a web application that visualizes meeting room availability. It works using Microsoft Graph API in Microsoft 365.
GNU General Public License v3.0
9 stars 3 forks source link

Problem with permissions #10

Closed Joni-Samanen closed 2 years ago

Joni-Samanen commented 2 years ago

So we've been trying to figure out the problem with our meeteasier install, as the only output we've got so far was the "Hmm, there seems to be a weird issue occurring"

adding console.log(err) to routes.js got us a little further, as now we get output in console which seems to to point the problem to being a permission problem.

code: 'AuthOMMissingRequiredPermissions', requestId: '194a9015-816c-4ab0-9071-13d7e83b2a35', date: 2022-11-04T08:51:04.000Z, body: {"code":"AuthOMMissingRequiredPermissions","message":"The AadPft token doesn't contain the permissions required by the target API.","innerError":{"oAuthEventOperationId":"fb805ced-7d75-4b18-82ff-f4d27a9bf7b1","oAuthEventcV":"oXlrn4r7yvKakdGJUyFNwg.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"dbee0f8d-286c-9fe3-e8d3-38750d07850b","date":"2022-11-04T10:51:04","request-id":"194a9015-816c-4ab0-9071-13d7e83b2a35","client-request-id":"dbee0f8d-286c-9fe3-e8d3-38750d07850b"}}

We can't really figure out what could be the problem, as we've registered the app and given the required permissions:

Calendars.Read, Place.Read.All, User.Read.All

Any ideas what could be done?

fkmeland commented 2 years ago

Hi, hmm, if you have added all theese as "Application permissions" and granted admin consent, it should be working.

I have included a screenshot of my setup in Azure: (Calendars.ReadWrite is for new booking feature) image

Joni-Samanen commented 2 years ago

I checked API permissions and App permissions, both should be fine, they look similiar to yours. Hmm...

fkmeland commented 2 years ago

Hmm... ok, lets check wether your token has the required permission manually, just to be absolutely sure.

Run the following command, and replace tenant-id, your-client-id and client-secret with your values:

 curl --location --request GET 'https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=client_credentials' \
 --data-urlencode 'client_id=your-client-id' \
 --data-urlencode 'scope=https://graph.microsoft.com/.default' \
 --data-urlencode 'client_secret=client-secret'

You should get a response like this:

 {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxxxxxx....."}

Copy the access_token value and paste it in https://jwt.io/ to decode the token, you should see the permissions under the roles key. image

Joni-Samanen commented 2 years ago

Thanks for support and sorry, I wasn't at the office on weekend. curl returned the access token, and when I pasted it into https://jwt.io/ it didn't display "roles" section at all. Directly under "rh" was "sub". It also complains on the left side of the page "Invalid signature". So uuuhh... What could this mean? :D

fkmeland commented 2 years ago

Hmm... that means your Azure setup is not complete, the application registered in Azure doesn't seem to have any api permissions granted. Do you have a green checkmark next to each of the api permissions for the application you registered in azure, as shown on my earlier comment. https://github.com/probits-as/MeetEasier/issues/10#issuecomment-1303511702

You can safely ignore the invalid signature message, this is because jwt.io doesn't have the private key the JWT was signed with, there is a field on jwt.io where you can put the private key if you want to validate the JWT, to confirm it hasn't been tampered with etc.

Joni-Samanen commented 2 years ago

Screenshot 2022-11-07 at 11 56 57

Here's a screenshot of our API permissions for MeetEasier. I just now noticed that in your screenshot the type is "Application" whereas in my it's "Delegated"...? How could I change that?

fkmeland commented 2 years ago

Aah, there is your problem 😊Delegated permissions is for humans, while Application permissions are for robots (kinda, hehe)

When you add the permission, there are two choises men you add a graph permission, Delegated and Application Permission, just choose Application Permission.

Just remove the ones you have added now, and add the new ones using the "Application Permissions".

image

Joni-Samanen commented 2 years ago

Oooh right, thanks! I'll get back to you once I have tried that.

fkmeland commented 2 years ago

Did you resolve the problem?

Joni-Samanen commented 2 years ago

Hi yeah sorry. I don't have the rights to grant permissions, so I asked admin to do it while I'm out of office. I'll return to office on friday and get back to you then!

fkmeland commented 2 years ago

Ah, no worries, I was just curious😊

Joni-Samanen commented 2 years ago

Thank you, the problem is resolved! Now I don't see any error, but also I can't see any rooms/locations. But I guess that's something I have to figure out.

fkmeland commented 2 years ago

Glad to hear that your problem is resolved😊

You have to use powershell to create a roomlist, and add rooms as members to that roomlist. See: https://learn.microsoft.com/en-us/exchange/recipients/room-mailboxes?view=exchserver-2019#use-the-exchange-management-shell-to-add-a-room-to-a-room-list

Please note it could take 24 hours before the roomlist is visible.