-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
VBO API check userCode
Hello,
In the GUI when you perform a usercode authentication, you see it has been successfully been authenticated. I'm searching in the API to accomplish the same, but can't find a resource URL for it. Does the API support this currently?
Kind regards,
Bastiaan
In the GUI when you perform a usercode authentication, you see it has been successfully been authenticated. I'm searching in the API to accomplish the same, but can't find a resource URL for it. Does the API support this currently?
Kind regards,
Bastiaan
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
This is not available within the VBO API. This is due to it requires a check against Microsoft's API if validation has happened.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
Ah ok, we can utilize graph API in our app. Do you perhaps have the resource URL?
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
You'll have to check for a 200 OK from https://login.microsoftonline.com/<tena ... uth2/token. Any other errors would mean the login didn't happen.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
I think I need the JWT token in order to check if the userCode authentication was valid. Since VBO does the authentication to MS I do not have access to the JWT token.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
No, there is no need for the JWT token. You need to check if you get the right response from the URL provided. All codes are available on the Microsoft website.
As long as it states authorization_pending, you still need to verify it. If you do get a bearer token, you are authenticated.
I have some sample code (javascript based) available on GitHub.
As long as it states authorization_pending, you still need to verify it. If you do get a bearer token, you are authenticated.
I have some sample code (javascript based) available on GitHub.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
Nice, thanks Niels, will use your example to implement in our portal. Will let you know the outcome.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
When we request a new DeviceCode from VBO API we get a response back which not include the device_code . We need the device_code in order to check the MS API if its authenticated.
What VBO returns:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=40
What MS requires:
https://docs.microsoft.com/nl-nl/azure/ ... evice-code
What VBO returns:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=40
What MS requires:
https://docs.microsoft.com/nl-nl/azure/ ... evice-code
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
The device code comes from MS in the first request and you should re-use that one all the time. On what part are you stuck? Or are you trying to achieve?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
We request a new user_code from VBO API, we call this request:
We get back:
When we want to check MS API if the deviceCode is successfully authenticated, we need to POST the following parameters:
I see two solutions:
1) Do not use VBO's restoreDeviceCode request, and do the authentication via MS directly so we have the device_code.
2) Veeam add the device_code to the restoreDeviceCode result.
Hope it's clear now.
(ps, Veeam should change the (restore)DeviceCode name resource routes as it returns the UserCode, not the DeviceCode )
Code: Select all
/restoreSession/{id}/organization/restoreDeviceCode
Code: Select all
{
"userCode": "CWE5QHLNM",
"verificationUrl": "https://microsoft.com/devicelogin",
"expiresIn": 899,
"message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CWE5QHLNM to authenticate."
}
- tenant Required
- grant_type Required
- client_id Required
- device_code Required
I see two solutions:
1) Do not use VBO's restoreDeviceCode request, and do the authentication via MS directly so we have the device_code.
2) Veeam add the device_code to the restoreDeviceCode result.
Hope it's clear now.
(ps, Veeam should change the (restore)DeviceCode name resource routes as it returns the UserCode, not the DeviceCode )
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
I believe the verification isn’t needed for this part due to already being authenticated. I will check it and report back.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
@@b.vanhaastrecht Right now, there is indeed no way to the token verification against O365 so you'll have to trust your end-users to follow the procedure of the devicelogin.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 886
- Liked: 165 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBO API check userCode
Ok, could you add option number 2 as a feature?
"Veeam add the device_code to the restoreDeviceCode result."
"Veeam add the device_code to the restoreDeviceCode result."
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 8195
- Liked: 1323 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: VBO API check userCode
Bastiaan,
We have plans for vNext to simplify further the login methods. But we are looking it into a different direction. I would prefer to allow userlogins instead of device code logins. But it is under investigation
We have plans for vNext to simplify further the login methods. But we are looking it into a different direction. I would prefer to allow userlogins instead of device code logins. But it is under investigation
-
- Veeam Software
- Posts: 27
- Liked: 1 time
- Joined: Apr 01, 2021 3:01 am
- Full Name: Martyn Howie
- Contact:
Re: VBO API check userCode
Has there been any progress made on this? We are trying to add organisations via the API but encountering the same problem of not having the device code. Is there a better way to authorise via the API?
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
For adding organisations, there shouldn’t be an issue as the device code is available that way. On which part are you struggling or seeing errors?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam Software
- Posts: 27
- Liked: 1 time
- Joined: Apr 01, 2021 3:01 am
- Full Name: Martyn Howie
- Contact:
Re: VBO API check userCode
As per the thread above get device code does not return a device code (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50) so we are unable to check whether the user has carried out the instructions.
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
That is only when you perform a restore. When adding an organization, this code is presented.
I wrote a blog post about adding the organization here: https://foonet.be/2020/09/24/veeam-back ... nizations/
I've also created a standalone example available via https://github.com/nielsengelen/veeam-r ... MFA-Tenant
I wrote a blog post about adding the organization here: https://foonet.be/2020/09/24/veeam-back ... nizations/
I've also created a standalone example available via https://github.com/nielsengelen/veeam-r ... MFA-Tenant
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam Software
- Posts: 27
- Liked: 1 time
- Joined: Apr 01, 2021 3:01 am
- Full Name: Martyn Howie
- Contact:
Re: VBO API check userCode
Hi Niels
I'm not sure if I'm misunderstanding this, but when we call v5/DeviceCode we do not get a device code
{
"userCode": "XXXXXXXX",
"verificationUrl": "https://microsoft.com/devicelogin",
"expiresIn": 899,
"message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate."
}
I'm not sure if I'm misunderstanding this, but when we call v5/DeviceCode we do not get a device code
{
"userCode": "XXXXXXXX",
"verificationUrl": "https://microsoft.com/devicelogin",
"expiresIn": 899,
"message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate."
}
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
You don’t need to use /v5/deviceCode when adding the organization (as that is what your initial post was about). Are you talking about the restore and authentication confirmation now? As this is the only place where the deviceCode isn’t presented and you have to rely on the goodwill of the user performing the restore.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam Software
- Posts: 27
- Liked: 1 time
- Joined: Apr 01, 2021 3:01 am
- Full Name: Martyn Howie
- Contact:
Re: VBO API check userCode
We are trying to create the Azure AD application at the same time, so from the blog post you referenced above:
For some context we want our customers to be able to self serve so are creating a portal they can register on. Telling them to follow instructions without being able to check if they have is not ideal as there are always some that don't read properlyThe final part of the JSON contains 3 parameters. Within the newApplicationName, you specify the name of the Azure AD application. Type is set to Office365 and the userCode.
...
The userCode can be obtained by performing a POST request against “/v4/DeviceCode“. Within the targetRegion, you specify the region of the organization which you will add.
...
This will provide us with a userCode which we can then use.
...
Important here is to perform the task requested. So head on over to microsoft.com/devicelogin and paste the userCode before moving forward with the API request for adding the organization.
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
-
- Product Manager
- Posts: 5803
- Liked: 1217 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBO API check userCode
Understood, now it is a bit more clear and explains the confusion from my side (as the initial topic was about restore, then it jumped on authentication but we are actually talking about adding the organization - many options ).
Well, if they don’t do it the endpoint call will fail with a related error which you can just show in your UI as well.
Even if we would have the deviceCode, it would only help in showing they did the authentication against Microsoft. The creation could still fail due to wrong account/permissions which we can only do once the necessary steps are followed by the customer.
While I understand your request (which is being tracked for a future release), this is always a part where you have to rely on the customer to use the correct account with the correct permissions. That is until we get more possibilities from Microsoft to verify things in a secure way (MFA is secure but not the easiest to analyse ).
Well, if they don’t do it the endpoint call will fail with a related error which you can just show in your UI as well.
Even if we would have the deviceCode, it would only help in showing they did the authentication against Microsoft. The creation could still fail due to wrong account/permissions which we can only do once the necessary steps are followed by the customer.
While I understand your request (which is being tracked for a future release), this is always a part where you have to rely on the customer to use the correct account with the correct permissions. That is until we get more possibilities from Microsoft to verify things in a secure way (MFA is secure but not the easiest to analyse ).
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam Software
- Posts: 27
- Liked: 1 time
- Joined: Apr 01, 2021 3:01 am
- Full Name: Martyn Howie
- Contact:
Re: VBO API check userCode
Ah ok, I guess we can check for that error which and loop them back in the Wizard if needed, which will work. thanks for the help
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 10, 2022 8:50 pm
- Full Name: frank zhang
- Contact:
Re: VBO API check userCode
Has there been any progress made on this? I tried to restore using user-code, but still not have the device-code in the response of /restoreSession/{id}/organization/restoreDeviceCode.
I could find in the GUI that the Restore button only enabled when you login to the Microsoft. So the GUI must have a method to check the status. What is the method the GUI invoked?
Thanks
I could find in the GUI that the Restore button only enabled when you login to the Microsoft. So the GUI must have a method to check the status. What is the method the GUI invoked?
Thanks
Who is online
Users browsing this forum: No registered users and 7 guests