I'm trying to upload a file to a container in Azure Storage using Azure Active Directory (AAD) Authentication and REST API's. I can't figure out what is missing in the workflow below, but it always fails.
How it works:
A service principal (SP) was created in AAD
A client_secret was generated for this SP
Contributor role added to the Storage Account for the SP, at the Storage Account-level
Side question: Can the Storage Blob Data Contributor role be scoped down to the Container-level instead of granting at the Account-level?
Sample authentication request:
Method: GET
URL: https://login.microsoftonline.com/<my_tenant>/oauth2/v2.0/token
Body: x-www-form-urlencoded
grant_type: client_credentials
client_id: <client_id>
scope: https://graph.microsoft.com/.default
client_secret: <client_secret>
Header(s):
content-type: application/x-www-form-urlencoded
Sample auth. response:
Status: 200
Body:
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "<auth_token>"
}
No problem thus far. The <auth_token> from this request is then used to send a PUT request to upload file to Azure Storage Container
Sample upload request:
Method: PUT
URL: https://<stg-account-name>.blob.core.windows.net/<container-name>/<file-name>.json
Body: binary
<file-name>.json
Header(s):
x-ms-blob-type: BlockBlob
x-ms-version: 2020-04-08
Required for AAD auth (at least per this doc)
Authentication: Bearer <auth_token>
Sample upload response:
Status: 401
Body:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>InvalidAuthenticationInfo</Code>
<Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:<guid>
Time:2022-09-26T18:29:27.4477615Z</Message>
<AuthenticationErrorDetail>Signature validation failed. Signature verification failed.</AuthenticationErrorDetail>
</Error>
Tried:
Removing the Bearer keyword from the Authentication header
Results in Status 403
Changing the x-ms-version header from 2017-11-09 to 2020-04-08
No change
Questions
What is missing here?
Where is this covered in the documentation?
EDIT1
RE: "What is missing here?"
Thank you #gaurav-mantri, your suggested worked!
I changed the scope header to https://storage.azure.com/.default in the auth request.
The subsequent upload request responded with status 201.
RE: "Can you help me find this referenced in the docs?"
Thank you again #gaurav-mantri, here is the doc ref
I tried to reproduce the same in my environment and got the below results:
I created one service principal Test and added Contributor role to it at storage account level as below:
I generated the access token with same parameters as you like below:
When I use the above access token to upload file via PUT request, I am getting same error as you like this:
To resolve the error, you need to add Storage Blob Data Contributor role to your service principal at Azure Storage container level as below:
Now, I generated access token by changing scope to https://storage.azure.com/.default like this:
With this token, I am able to upload file to Azure Storage container successfully as below:
When I checked Azure Portal, file got uploaded successfully like this:
If you generated the token by changing the scope to https://storage.azure.com/.default and did not assign Storage Blob Data Contributor role, you will get 403 error like below:
So, make sure to grant Storage Blob Data Contributor role to service principal before generating access token.
Related
I am trying to access "https://graph.microsoft.com/v1.0/me/messages" API by JAVA SDK provided by Microsoft.
I am using the below code.
final AuthorizationCodeCredential authCodeCredential = new AuthorizationCodeCredentialBuilder()
.clientId("b****08f-*****-4d49-****-cba7d9a****c")
.clientSecret("8***7Q~GW0N******Y_N*****Zi******")
.authorizationCode("0.AVUAoIQSV...")
.redirectUrl("http://localhost/auth-responses")
.build();
Now it is giving me error like "The tenant for tenant guid '571284a0---****-a94eea6c6b3f' does not exist."
I tried the Same thing by postman, here I tried to get token by below end point.
"https://login.microsoftonline.com/common/oauth2/token"
after getting the token I am using it in "https://graph.microsoft.com/v1.0/me/messages" as Bearer Token. Still, I am getting the same issue.
But the token I am receiving in every case is not same as graph explorer Access Token
If I copy Graph Explorer Access Token and use it in postman then it gives me the desired result.
I am using a personal account for all of this process which ends with "#outlook.com".
I want to know why I am getting different access tokens than graph explorer access tokens and why that access token is not able to access the endpoints.
I have tested in my environment.
The access token generated from the Graph Explorer will be different from the access token generated from the Postman. This is because, the access token generated from graph explorer uses only the user credentials. The access token generated from postman uses client id and the client secret along with user credentials.
If the app registration supports Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox), then only you can use personal account to generate the access token and use it to call the request for https://graph.microsoft.com/v1.0/me/messages only if the app registration have Microsoft Graph mail.read delegated permissions.
Paste the below URL in the browser. The code will be generated. Copy the code.
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id=app-client-id
&response_type=code
&response_mode=query
&scope=mail.read
Make the below POST request in the postman to generate the access token :
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Headers :
Content-Type: application/x-www-form-urlencoded
Body :
client_id: App Client ID
grant_type: authorization_code
scope: user.read%20mail.read
code: Code received in the first step
client_secret: Client Secret Generated in the App
Copy the Access token and make the below get request in the postman to read the messages :
GET https://graph.microsoft.com/v1.0/me/messages
Headers:
Authorization : Bearer access-token
We try to create an AAD service principal for retrieving data from out Log Analytics workspace.
Our AAD region is located in Germany
Log Analytics is located in North Europe
When attempting to create API permissions, the address to the API itself is mentioning westus2.api.loganalytics.io (west US region) which is a no go for our company data privacy.
Is there any reason of this default and not editable settings ? Is there any way to overcome it ?
Well, if so, you could get the token for ARM API endpoint, then call the ARM API.
In this way, no need to add the API permission for your AD App, just make sure your AD App has an RBAC role e.g. Contributor, Log Analytics Reader in the Access control (IAM) of your workspace, if not, follow this doc to add it.
Then use the client credential flow to get the token.
POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://management.azure.com/
&client_secret=YOUR_CLIENT_SECRET
After getting the token, use it to call the api like the sample below.
GET https://management.azure.com/subscriptions/6c3ac85e-59d5-4e5d-90eb-27979f57cb16/resourceGroups/demo/providers/Microsoft.OperationalInsights/workspaces/demo-ws/api/query
Authorization: Bearer <access_token>
Prefer: response-v1=true
{
"query": "AzureActivity | limit 10"
}
For more details, refer to this link.
I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)
I am trying to build a website where a user can log in via Azure AD B2C. After logging in, I'm trying to present a secure area where the user can change their Azure B2C user attributes (first name, last name, etc) via the Microsoft Graph API.
I am attempting to follow along with the Get a Token documentation
Everything is working up to step #3, where a call gets made out to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain an access_token using the code I received on my return URL.
Here's the general flow of what I am doing:
End user clicks a login link on my localhost site that links out to my Azure B2C tenant policy. Link looks something like this:
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/authorize
?client_id=[MyAppID]
&response_type=code+id_token
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.write
&state=[MyCustomState]&p=[MyCustomPolicy]
User logs in and gets redirected to the redirect_uri.
redirect_uri successfully recieves code, id_token, and state values.
I take the code value from that and makes a POST https://login.microsoftonline.com/common/oauth2/v2.0/token request with the following body:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
HTTP/1.1
grant_type=authorization_code
&code=[code]
&client_secret=[application secret]
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.readwrite
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
The response code I receive back from that endpoint is the above error message.
{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID:6d7a8e32-bcbf-4fc4-a37a-87dae4781b00\r\nCorrelation ID:252912b7-5775-491a-968f-00ab03696dd9\r\nTimestamp: 2019-06-2722:11:18Z",
"error_codes": [9002313],
"timestamp": "2019-06-27 22:11:18Z",
"trace_id": "6d7a8e32-bcbf-4fc4-a37a-87dae4781b00",
"correlation_id": "252912b7-5775-491a-968f-00ab03696dd9"
}
Other StackOverflow posts mention verifying that the redirect_uri's have to match between the initial login and the subsequent access_token requests. They appear identical to me, but I am still receiving errors.
Any ideas what could be going wrong?
This is something you need to understand about OAuth on B2C before you are able to successfully request for a token.
This error means that the requested scope (resource) can’t be accessed by you (login user) because of the lack of permissions.
So, to fix that, you need to grant these required permissions to access that resource, by following these steps:
Define a new scope.
Grant Admin consent on that scope.
Request that scope when you request for a token.
In other words, in B2C-->App Registrations--> (Your App), shown in the image below, start with “Expose an API”, here you define a new scope of access, scope of resources or API, just a metadata that you know it represents some resources or API.
Then you click on “API Permissions”, here you will add the scope you just created and grand admin access in needed. But al least you need to add permissions to your newly defined scope.
The third and last step is when you hit: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Make sure to pass the scope that you added. (Use the scope that you added)
The details are explained in here but I can simplify it for you.
configure b2c
So you need to go to your B2C
Seems you are trying to get access token using Authorization Code Grant V2.0
Your request doesn't match with Authorization Code Grant V2.0 format and you have encountered that error.
You should send token request for Authorization Code Grant V2.0 is like below:
Token Endpoint: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
client_id:b603c7be-_YourApp_ID-e6921e61f925
scope:https://graph.microsoft.com/User.ReadWrite.All
redirect_uri:https://www.getpostman.com/oauth2/callback
grant_type:authorization_code
client_secret:Vxf1SluKbgu4P_YourAppSecret_DSeZ8wL/Yp8ns4sc=
code:OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXrnBIp82sWR1nC
See Screen shot for details:
I am doing azure active directory authentication for function app by following below URL
https://www.c-sharpcorner.com/article/secure-azure-function-with-azure-ad/
But when i hitting my url through function app
It is giving unauthorized do i need to do anything else
please find the below screen shots.
any help is appreciated
We could use the access token to access your Azure function API directly if your azure function authentication level is anonymous or function key is also required. The detailed steps are as below.
Configure Azure AD for Azure Function. Please refer to https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings#auth.
Get Access token
I get an access token from AAD using clientID and clientSecret using the following code:
METHOD: POST
Url : https://login.microsoftonline.com/your directory ID/oauth2/token
HEADERS: Content-Type : application/x-www-form-urlencoded
BODY: grant_type+=client_credentials&resource+=”your Function url”&client_id+++++=”the application that your register id”&client_secret+=”the key you create”
Please note that according to the Azure Resources portal (https://resources.azure.com/), the default allowedAudiences is
https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback
So I added the https://{functionAppName}.azurewebsites.net/ as allowed audiences.
Then I can use the access token directly. I tested it with Postman:
Please note that if your azure function authentication level is not anonymous, you need to add the function key