Maintain control of your Microsoft 365 data
Post Reply
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

VBO API check userCode

Post by b.vanhaastrecht »

Hello,

In the GUI when you perform a usercode authentication, you see it has been successfully been authenticated. I'm searching in the API to accomplish the same, but can't find a resource URL for it. Does the API support this currently?

Kind regards,
Bastiaan
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

This is not available within the VBO API. This is due to it requires a check against Microsoft's API if validation has happened.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

Ah ok, we can utilize graph API in our app. Do you perhaps have the resource URL?
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

You'll have to check for a 200 OK from https://login.microsoftonline.com/<tena ... uth2/token. Any other errors would mean the login didn't happen.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

I think I need the JWT token in order to check if the userCode authentication was valid. Since VBO does the authentication to MS I do not have access to the JWT token.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

No, there is no need for the JWT token. You need to check if you get the right response from the URL provided. All codes are available on the Microsoft website.

As long as it states authorization_pending, you still need to verify it. If you do get a bearer token, you are authenticated.

I have some sample code (javascript based) available on GitHub.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

Nice, thanks Niels, will use your example to implement in our portal. Will let you know the outcome.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

When we request a new DeviceCode from VBO API we get a response back which not include the device_code . We need the device_code in order to check the MS API if its authenticated.

What VBO returns:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=40

What MS requires:
https://docs.microsoft.com/nl-nl/azure/ ... evice-code
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

The device code comes from MS in the first request and you should re-use that one all the time. On what part are you stuck? Or are you trying to achieve?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

We request a new user_code from VBO API, we call this request:

Code: Select all

/restoreSession/{id}/organization/restoreDeviceCode
We get back:

Code: Select all

{
  "userCode": "CWE5QHLNM",
  "verificationUrl": "https://microsoft.com/devicelogin",
  "expiresIn": 899,
  "message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CWE5QHLNM to authenticate."
}
When we want to check MS API if the deviceCode is successfully authenticated, we need to POST the following parameters:
  • tenant Required
  • grant_type Required
  • client_id Required
  • device_code Required
We do NOT have the device_code, as it's not returned from the VBO restoreDeviceCode request.

I see two solutions:
1) Do not use VBO's restoreDeviceCode request, and do the authentication via MS directly so we have the device_code.
2) Veeam add the device_code to the restoreDeviceCode result.

Hope it's clear now.

(ps, Veeam should change the (restore)DeviceCode name resource routes as it returns the UserCode, not the DeviceCode :D )
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

I believe the verification isn’t needed for this part due to already being authenticated. I will check it and report back.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

@@b.vanhaastrecht Right now, there is indeed no way to the token verification against O365 so you'll have to trust your end-users to follow the procedure of the devicelogin.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBO API check userCode

Post by b.vanhaastrecht »

Ok, could you add option number 2 as a feature?

"Veeam add the device_code to the restoreDeviceCode result."
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Mike Resseler
Product Manager
Posts: 8191
Liked: 1322 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: VBO API check userCode

Post by Mike Resseler »

Bastiaan,

We have plans for vNext to simplify further the login methods. But we are looking it into a different direction. I would prefer to allow userlogins instead of device code logins. But it is under investigation
martynh
Enthusiast
Posts: 27
Liked: 1 time
Joined: Apr 01, 2021 3:01 am
Full Name: Martyn Howie
Contact:

Re: VBO API check userCode

Post by martynh »

Has there been any progress made on this? We are trying to add organisations via the API but encountering the same problem of not having the device code. Is there a better way to authorise via the API?
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

For adding organisations, there shouldn’t be an issue as the device code is available that way. On which part are you struggling or seeing errors?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
martynh
Enthusiast
Posts: 27
Liked: 1 time
Joined: Apr 01, 2021 3:01 am
Full Name: Martyn Howie
Contact:

Re: VBO API check userCode

Post by martynh »

As per the thread above get device code does not return a device code (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50) so we are unable to check whether the user has carried out the instructions.
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

That is only when you perform a restore. When adding an organization, this code is presented.

I wrote a blog post about adding the organization here: https://foonet.be/2020/09/24/veeam-back ... nizations/

I've also created a standalone example available via https://github.com/nielsengelen/veeam-r ... MFA-Tenant
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
martynh
Enthusiast
Posts: 27
Liked: 1 time
Joined: Apr 01, 2021 3:01 am
Full Name: Martyn Howie
Contact:

Re: VBO API check userCode

Post by martynh »

Hi Niels
I'm not sure if I'm misunderstanding this, but when we call v5/DeviceCode we do not get a device code
{
"userCode": "XXXXXXXX",
"verificationUrl": "https://microsoft.com/devicelogin",
"expiresIn": 899,
"message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate."
}
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

You don’t need to use /v5/deviceCode when adding the organization (as that is what your initial post was about). Are you talking about the restore and authentication confirmation now? As this is the only place where the deviceCode isn’t presented and you have to rely on the goodwill of the user performing the restore.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
martynh
Enthusiast
Posts: 27
Liked: 1 time
Joined: Apr 01, 2021 3:01 am
Full Name: Martyn Howie
Contact:

Re: VBO API check userCode

Post by martynh »

We are trying to create the Azure AD application at the same time, so from the blog post you referenced above:
The final part of the JSON contains 3 parameters. Within the newApplicationName, you specify the name of the Azure AD application. Type is set to Office365 and the userCode.
...
The userCode can be obtained by performing a POST request against “/v4/DeviceCode“. Within the targetRegion, you specify the region of the organization which you will add.
...
This will provide us with a userCode which we can then use.
...
Important here is to perform the task requested. So head on over to microsoft.com/devicelogin and paste the userCode before moving forward with the API request for adding the organization.
For some context we want our customers to be able to self serve so are creating a portal they can register on. Telling them to follow instructions without being able to check if they have is not ideal as there are always some that don't read properly :roll:
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBO API check userCode

Post by nielsengelen »

Understood, now it is a bit more clear and explains the confusion from my side (as the initial topic was about restore, then it jumped on authentication but we are actually talking about adding the organization - many options :-)).

Well, if they don’t do it the endpoint call will fail with a related error which you can just show in your UI as well.

Even if we would have the deviceCode, it would only help in showing they did the authentication against Microsoft. The creation could still fail due to wrong account/permissions which we can only do once the necessary steps are followed by the customer.

While I understand your request (which is being tracked for a future release), this is always a part where you have to rely on the customer to use the correct account with the correct permissions. That is until we get more possibilities from Microsoft to verify things in a secure way (MFA is secure but not the easiest to analyse :-)).
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
martynh
Enthusiast
Posts: 27
Liked: 1 time
Joined: Apr 01, 2021 3:01 am
Full Name: Martyn Howie
Contact:

Re: VBO API check userCode

Post by martynh »

Ah ok, I guess we can check for that error which and loop them back in the Wizard if needed, which will work. thanks for the help :)
Martyn Howie
Product Director for Cirrus Backup, a SAAS backup product powered by Veeam Backup for Microsoft 365
https://cirrusbackup.com
Cirrus Backup by CT4 - Veeam Australia and New Zealand Innovation Partner of the Year
FrankZhang
Lurker
Posts: 1
Liked: never
Joined: Oct 10, 2022 8:50 pm
Full Name: frank zhang
Contact:

Re: VBO API check userCode

Post by FrankZhang »

Has there been any progress made on this? I tried to restore using user-code, but still not have the device-code in the response of /restoreSession/{id}/organization/restoreDeviceCode.
I could find in the GUI that the Restore button only enabled when you login to the Microsoft. So the GUI must have a method to check the status. What is the method the GUI invoked?
Thanks
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests