I am trying to get the user access token for accessing Graph APIs from the node.js code.
My Request:
POST https://login.microsoftonline.com/<AD-Tenant-Id>/oauth2/v2.0/token
client_id: <application ID>
client_secret: <secret string>
scope: User.Read
response_type: "code"
grant_type: "password"
username: <user email>
password: <user password>
I get error:
AADSTS50076: Due to a configuration change made by your administrator,
or because you moved to a new location, you must use multi-factor authentication to access....
I am using postman for testing the request.
In my AD I have multi-factor authentication disabled.
And "Security Defaults" are set to "enable".
If I "disable" the "Security Defaults", then I am able to get the token.
Is there a way I can keep the "Security Defaults" enabled and get the token, without the user interaction?
You can try out Get access on behalf of a user , ref doc - https://learn.microsoft.com/en-us/graph/auth-v2-user#3-get-a-token
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=11111111-1111-1111-1111-111111111111
&scope=user.read%20mail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=jXoM3iz...
Hope this will help.
Related
I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn
I'm trying to upload a file to a container in Azure Storage using Azure Active Directory (AAD) Authentication and REST API's. I can't figure out what is missing in the workflow below, but it always fails.
How it works:
A service principal (SP) was created in AAD
A client_secret was generated for this SP
Contributor role added to the Storage Account for the SP, at the Storage Account-level
Side question: Can the Storage Blob Data Contributor role be scoped down to the Container-level instead of granting at the Account-level?
Sample authentication request:
Method: GET
URL: https://login.microsoftonline.com/<my_tenant>/oauth2/v2.0/token
Body: x-www-form-urlencoded
grant_type: client_credentials
client_id: <client_id>
scope: https://graph.microsoft.com/.default
client_secret: <client_secret>
Header(s):
content-type: application/x-www-form-urlencoded
Sample auth. response:
Status: 200
Body:
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "<auth_token>"
}
No problem thus far. The <auth_token> from this request is then used to send a PUT request to upload file to Azure Storage Container
Sample upload request:
Method: PUT
URL: https://<stg-account-name>.blob.core.windows.net/<container-name>/<file-name>.json
Body: binary
<file-name>.json
Header(s):
x-ms-blob-type: BlockBlob
x-ms-version: 2020-04-08
Required for AAD auth (at least per this doc)
Authentication: Bearer <auth_token>
Sample upload response:
Status: 401
Body:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>InvalidAuthenticationInfo</Code>
<Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:<guid>
Time:2022-09-26T18:29:27.4477615Z</Message>
<AuthenticationErrorDetail>Signature validation failed. Signature verification failed.</AuthenticationErrorDetail>
</Error>
Tried:
Removing the Bearer keyword from the Authentication header
Results in Status 403
Changing the x-ms-version header from 2017-11-09 to 2020-04-08
No change
Questions
What is missing here?
Where is this covered in the documentation?
EDIT1
RE: "What is missing here?"
Thank you #gaurav-mantri, your suggested worked!
I changed the scope header to https://storage.azure.com/.default in the auth request.
The subsequent upload request responded with status 201.
RE: "Can you help me find this referenced in the docs?"
Thank you again #gaurav-mantri, here is the doc ref
I tried to reproduce the same in my environment and got the below results:
I created one service principal Test and added Contributor role to it at storage account level as below:
I generated the access token with same parameters as you like below:
When I use the above access token to upload file via PUT request, I am getting same error as you like this:
To resolve the error, you need to add Storage Blob Data Contributor role to your service principal at Azure Storage container level as below:
Now, I generated access token by changing scope to https://storage.azure.com/.default like this:
With this token, I am able to upload file to Azure Storage container successfully as below:
When I checked Azure Portal, file got uploaded successfully like this:
If you generated the token by changing the scope to https://storage.azure.com/.default and did not assign Storage Blob Data Contributor role, you will get 403 error like below:
So, make sure to grant Storage Blob Data Contributor role to service principal before generating access token.
I have set up a B2C identity provider pointing to the online test version of IdentityServer4:
https://demo.identityserver.io
My app registration is for a SPA application.
My user policy is a standard SUSI one.
Using the "Run now" option, the following parameters are sent:
p: B2C_1_SUSI_B2C
client_id: 5e58...620a
nonce: defaultNonce
redirect_uri: https://jwt.ms
scope: openid
response_type: code
prompt: login
code_challenge_method: S256
code_challenge: D9pGhYDch4f8F3V0MsDvaEQWH3-ssqucs3ixxTAgX6k
This contains the PKCE parameters as expected.
I get the B2C login screen and click the IdentityServer4 button.
The following parameters are sent to IdentityServer4:
client_id: interactive.public
redirect_uri: https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/authresp
response_type: code
scope: openid
response_mode: form_post
nonce: HZ0avacgvKw5Jyp6W4k1Tw==
ui_locales: en-US
state: StateProperties=eyJTSUQiOiJ4....
Notice that there are no longer any PKCE parameters.
IdentityServer4 responds:
Error
Sorry, there was an error : invalid_request
code challenge required
How do you get the PKCE parameters to be forwarded?
This is not possible right now. There is also almost no value to use PKCE here as it is a confidential client flow.
We are using custom web api and angular as a front-end. We already have active directory access token and we need to access SharePoint lists under user context. How to use azure active directory token to generate user access token to access SharePoint on behalf of Flow?
To use the acquired access_token to request new access_token from another API, you could use the on_behalf_of flow.
For V2 enpoint, the request URL:
https://login.microsoftonline.com//oauth2/v2.0/token
POST /oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=<application-id>
&client_secret=<key value>
&assertion=<acquired access_token>
&requested_token_use=on_behalf_of
&scope=https://graph.microsoft.com/User.Read email(here the example API is [ms graph API][1], and the permissions are User.Read and email)
For the details, you could refer to this dos.
I have setup an Office 365 E3 trial account. I registered two apps in AAD.
The first one uses the "authorization code flow" and does work as expected (can access the logged in users calendar).
The second app uses the "client credentials flow" and does not work.
login in Browser (Edge)
GET /OAuthTest3 HTTP/1.1
HTTP/1.1 302 Found
Location: https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<app_id>&redirect_uri=http://localhost:1234/OAuthTest3
GET /OAuthTest3?admin_consent=True&tenant=<tenant> HTTP/1.1
HTTP/1.1 200 OK
connect to https://login.microsoftonline.com/
POST /<tenant>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
client_id=<app_id>&
client_secret=<client_secret>&
grant_type=client_credentials&
redirect_uri=http://localhost:1234/OAuthTest3&
resource=https://graph.microsoft.com/&
scope=https://graph.microsoft.com/calendars.readwrite
HTTP/1.1 200 OK
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1504333342",
"not_before": "1504329442",
"resource": "https://graph.microsoft.com/",
"access_token": <token>
}
connect to https://graph.microsoft.com/
GET /v1.0/users/<user>/calendars HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <token>
HTTP/1.1 403 Forbidden
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "e7228de4-2b27-4779-abef-ccab0d88970a",
"date": "2017-09-02T05:22:27"
}
}
}
In order to use Client Credentials flow in AAD V2.0, you need to first object Admin Consent for your application. This is true even if you wouldn't need consent for the same scope using Authorization Code grant.
Take a look at v2 Endpoint and Admin Consent for a walk-through on obtaining consent.
UPDATE:
Scopes work differently with Client Credentials. Rather than dynamically requesting the scopes using a space delimited list (https://graph.microsoft.com/user.read https://graph.microsoft.com/calendars.readwrite), you need to define them in your app's registration.
This is done using the https://apps.dev.microsoft.com portal. In your app's registration, find the "Application Permissions" section and click the "Add" button. This will pop a dialog where you can select the permissions you need:
In your application, you also need to change your scope parameter so the system knows to use the scopes from your registration. This is done by passing https://graph.microsoft.com/.default for the scope:
POST /<tenant>/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
client_id=<app_id>&
client_secret=<client_secret>&
grant_type=client_credentials&
redirect_uri=http://localhost:1234/OAuthTest3&
resource=https://graph.microsoft.com/&
scope=https://graph.microsoft.com/.default
Important: Any time you make a change to your scopes, you will have to re-execute the Admin Consent flow before those new scopes will consented.