VBO API check userCode

[b.vanhaastrecht]

Hello,

In the GUI when you perform a usercode authentication, you see it has been successfully been authenticated. I'm searching in the API to accomplish the same, but can't find a resource URL for it. Does the API support this currently?

Kind regards,
Bastiaan

[nielsengelen]

This is not available within the VBO API. This is due to it requires a check against Microsoft's API if validation has happened.

[b.vanhaastrecht]

Ah ok, we can utilize graph API in our app. Do you perhaps have the resource URL?

[nielsengelen]

You'll have to check for a 200 OK from https://login.microsoftonline.com/<tena ... uth2/token. Any other errors would mean the login didn't happen.

[b.vanhaastrecht]

I think I need the JWT token in order to check if the userCode authentication was valid. Since VBO does the authentication to MS I do not have access to the JWT token.

[nielsengelen]

No, there is no need for the JWT token. You need to check if you get the right response from the URL provided. All codes are available on the Microsoft website.

As long as it states authorization_pending, you still need to verify it. If you do get a bearer token, you are authenticated.

I have some sample code (javascript based) available on GitHub.

[b.vanhaastrecht]

Nice, thanks Niels, will use your example to implement in our portal. Will let you know the outcome.

[b.vanhaastrecht]

When we request a new DeviceCode from VBO API we get a response back which not include the device_code . We need the device_code in order to check the MS API if its authenticated.

What VBO returns:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=40

What MS requires:
https://docs.microsoft.com/nl-nl/azure/ ... evice-code

[nielsengelen]

The device code comes from MS in the first request and you should re-use that one all the time. On what part are you stuck? Or are you trying to achieve?

[b.vanhaastrecht]

We request a new user_code from VBO API, we call this request:

Code: Select all

/restoreSession/{id}/organization/restoreDeviceCode

We get back:

Code: Select all

{
  "userCode": "CWE5QHLNM",
  "verificationUrl": "https://microsoft.com/devicelogin",
  "expiresIn": 899,
  "message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CWE5QHLNM to authenticate."
}

When we want to check MS API if the deviceCode is successfully authenticated, we need to POST the following parameters:

• tenant Required

• grant_type Required

• client_id Required

• device_code Required

We do NOT have the device_code, as it's not returned from the VBO restoreDeviceCode request.

I see two solutions:
1) Do not use VBO's restoreDeviceCode request, and do the authentication via MS directly so we have the device_code.
2) Veeam add the device_code to the restoreDeviceCode result.

Hope it's clear now.

(ps, Veeam should change the (restore)DeviceCode name resource routes as it returns the UserCode, not the DeviceCode )

[nielsengelen]

I believe the verification isn’t needed for this part due to already being authenticated. I will check it and report back.

[nielsengelen]

@@b.vanhaastrecht Right now, there is indeed no way to the token verification against O365 so you'll have to trust your end-users to follow the procedure of the devicelogin.

[b.vanhaastrecht]

Ok, could you add option number 2 as a feature?

"Veeam add the device_code to the restoreDeviceCode result."

[Mike Resseler]

Bastiaan,

We have plans for vNext to simplify further the login methods. But we are looking it into a different direction. I would prefer to allow userlogins instead of device code logins. But it is under investigation

[martynh]

Has there been any progress made on this? We are trying to add organisations via the API but encountering the same problem of not having the device code. Is there a better way to authorise via the API?

[nielsengelen]

For adding organisations, there shouldn’t be an issue as the device code is available that way. On which part are you struggling or seeing errors?

[martynh]

As per the thread above get device code does not return a device code (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50) so we are unable to check whether the user has carried out the instructions.

[nielsengelen]

That is only when you perform a restore. When adding an organization, this code is presented.

I wrote a blog post about adding the organization here: https://foonet.be/2020/09/24/veeam-back ... nizations/

I've also created a standalone example available via https://github.com/nielsengelen/veeam-r ... MFA-Tenant

[martynh]

Hi Niels
I'm not sure if I'm misunderstanding this, but when we call v5/DeviceCode we do not get a device code
{
"userCode": "XXXXXXXX",
"verificationUrl": "https://microsoft.com/devicelogin",
"expiresIn": 899,
"message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate."
}

[nielsengelen]

You don’t need to use /v5/deviceCode when adding the organization (as that is what your initial post was about). Are you talking about the restore and authentication confirmation now? As this is the only place where the deviceCode isn’t presented and you have to rely on the goodwill of the user performing the restore.

[martynh]

We are trying to create the Azure AD application at the same time, so from the blog post you referenced above:

The final part of the JSON contains 3 parameters. Within the newApplicationName, you specify the name of the Azure AD application. Type is set to Office365 and the userCode.
...
The userCode can be obtained by performing a POST request against “/v4/DeviceCode“. Within the targetRegion, you specify the region of the organization which you will add.
...
This will provide us with a userCode which we can then use.
...
Important here is to perform the task requested. So head on over to microsoft.com/devicelogin and paste the userCode before moving forward with the API request for adding the organization.

For some context we want our customers to be able to self serve so are creating a portal they can register on. Telling them to follow instructions without being able to check if they have is not ideal as there are always some that don't read properly

[nielsengelen]

Understood, now it is a bit more clear and explains the confusion from my side (as the initial topic was about restore, then it jumped on authentication but we are actually talking about adding the organization - many options ).

Well, if they don’t do it the endpoint call will fail with a related error which you can just show in your UI as well.

Even if we would have the deviceCode, it would only help in showing they did the authentication against Microsoft. The creation could still fail due to wrong account/permissions which we can only do once the necessary steps are followed by the customer.

While I understand your request (which is being tracked for a future release), this is always a part where you have to rely on the customer to use the correct account with the correct permissions. That is until we get more possibilities from Microsoft to verify things in a secure way (MFA is secure but not the easiest to analyse ).

[martynh]

Ah ok, I guess we can check for that error which and loop them back in the Wizard if needed, which will work. thanks for the help

[FrankZhang]

Has there been any progress made on this? I tried to restore using user-code, but still not have the device-code in the response of /restoreSession/{id}/organization/restoreDeviceCode.
I could find in the GUI that the Restore button only enabled when you login to the Microsoft. So the GUI must have a method to check the status. What is the method the GUI invoked?
Thanks