Error "invalid_grant" AADSTS65001 when trying to exchange access token - azure-active-directory

I am trying to get an access token by exchanging it using this https://login.microsoftonline.com/common/oauth2/v2.0/token
These are the parameters which are valid:
And when I add another permission in the scope, like this one: Files.Read.All. It returns this message:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'bbb71de5-d64e-4ad1-9994-40d0ff295dbb' named 'TeamsAddIn'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 86abe785-dc17-4a3f-9884-ff9582c2cb00\r\nCorrelation ID: b7b8a51a-78bc-410b-861f-ebcb4bd76adc\r\nTimestamp: 2022-05-18 10:51:47Z",
"error_codes": [
65001
],
"timestamp": "2022-05-18 10:51:47Z",
"trace_id": "86abe785-dc17-4a3f-9884-ff9582c2cb00",
"correlation_id": "b7b8a51a-78bc-410b-861f-ebcb4bd76adc",
"suberror": "consent_required"
}
I have the consent granted withing the app:
And also have consented using this multiple times: https://login.microsoftonline.com/{tenant id}/adminconsent?client_id={client id}&state=12345&redirect_uri={redirect_uri}
How could I resolve this?

Using this url to grant access worked: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<yourClientID>&response_type=token+id_token&redirect_uri=<YourRedirectUri>&scope=user.read+openid+profile+email&response_mode=fragment&state=12345&nonce=678910

Related

AADSTS70003: The app requested an unsupported grant type 'client_credential'

I am actually testing the call of Graph API from POSTMAN in order to get access to Active Directory information.
I have follow the steps mentionned in this ticket:
How to call azure graph api
When posting the request in order to get my TOKEN ID as explain in the link above, then I get a return error as below :
"error": "unsupported_grant_type",
"error_description": "AADSTS70003: The app requested an unsupported grant type 'client_credential'.\r\nTrace ID: 0cdad91b-0ba8-4310-92d4-f0aff8bb1d00\r\nCorrelation ID: fdf416d6-eb81-4a5c-9577-af9d9f28fab0\r\nTimestamp: 2020-04-28 13:27:04Z",
"error_codes": [
70003
],
"timestamp": "2020-04-28 13:27:04Z",
"trace_id": "0cdad91b-0ba8-4310-92d4-f0aff8bb1d00",
"correlation_id": "fdf416d6-eb81-4a5c-9577-af9d9f28fab0"
Any idea how to solve it and what could be wrong ?
regards
This looks like typo.
Please confirm grant_type is set to client_credentials

Unable to access the access code and refresh token of AAD Microsoft App

I'm trying to automate the file transfer between one drive and Linux. Hence I need to generate the access token and refresh token.
My POST URL is
https://login.microsoftonline.com/common/oauth2/v2.0/token?grant_type='authorization_code'&client_id=XXXXXXXXXXXXXX&code=XXXXXXXXXXXXX
getting below error as below
{
"error": "invalid_request",
"error_description": "AADSTS9001442323: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: 55c2b449-381b-41844ads5a2f-b2b7-451d65188500\r\nCorrelation ID: bf082e8f-99be-41e0-87dd-756894601365\r\nTimestamp: 2020-04-27 17:54:21Z",
"error_codes": [
90043234144
],
"timestamp": "2020-04-27 17:54:21Z",
"trace_id": "55cadsasdad2b449-381b-412f-b2b7-451d65188500",
"correlation_id": "bf0asdadada82e8f-99be-41e0-87dd-75688dasda94601365",
"error_uri": "https://login.microsoftonline.com/error?code=90014486"
}
You should specify application/x-www-form-urlencoded as the value of the header Content-Type. Then this error will not exist.
But based on your previous post, you have set the application/x-www-form-urlencoded. So if it's not the reason for this issue, please provide more details: Where are you generating the access token? In Postman? Could you provide a screenshot?
But there is another error. You should use grant_type=authorization_code instead of grant_type='authorization_code'.
And you should provide some other parameters. See this sample: Request an access token.

Delegation denied for user#domain.com

I am using goodle gmail send API for sending the mails.
POST https://www.googleapis.com/gmail/v1/users/me/messages/send?key=[My_API_KEY]
Authorization: Bearer [ACCESS_TOKEN]
Accept: application/json
Content-Type: application/json
{
"raw": "SGkgVGVhbSwKVGVzdGluZyBFbWFpbCBBdXRoZW50aWNhdGlvbgoKCgoK"
}
When I am executing this I am getting an error like:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for mymailaddress#example.com"
}
],
"code": 403,
"message": "Delegation denied for mymailaddress#example.com"
}
}
Could anyone help me on this.
Thank you in advance.
Try these-
1. best thing to do is to just always have ' userId="me" ' in your requests. That tells the API to just use the authenticated user's mailbox--no need to rely on email addresses.
2. The access token and other parameters present in JSON are not associated with new email id/account. So, in order make it run you just have to delete the '.credentails' folder and run the program again. Now, the program opens the browser and asks you to give permissions.
To delete the folder containing files in python
import shutil
shutil.rmtree("path of the folder to be deleted")
you may add this at the end of the program

Invalid redirect_uri: http://localhost:5001/signin-oidc

I developed my IdentityServer using the netcoreapp1.1 framework, IdentityServer4 version 1.52, with a console client the connection works fine, but with an MVC client netcoreapp2.0, within the records shows me:
error: IdentityServer4.Validation.AuthorizeRequestValidator [0] Redirect_uri inválido: http://localhost:5001/signin-oidc --code omitted-- error: IdentityServer4.Endpoints.AuthorizeEndpoint [0] Request validation error
I did the steps that are in api acces hybrid but I still have the same problem, for the client that I am working in the mvc-hybrid for an asp.net core 2 application without success, something that stands out is that the AllowedRedirectUris parameter is empty.
fail: IdentityServer4.Validation.AuthorizeRequestValidator[0] Invalid redirect_uri: http://localhost:5001/signin-oidc { "ClientId": "client-hugo", "RedirectUri": "http://localhost:5001/signin-oidc", "AllowedRedirectUris": [], "SubjectId": "anonymous", "RequestedScopes": "", "Raw": { "client_id": "client-hugo", "redirect_uri": "http://localhost:5001/signin-oidc", "response_type": "code id_token", "scope": "openid profile email api-alumnos offline_access", "response_mode": "form_post", "nonce": "636412201009966900.ZDNmYjdmZWMtNWNlMS00ZDQyLWIxMjMtNWIzYTM4M2FhZmRhMmMxZGE2ZDUtM2M0MS00ZThiLTk4M2ItNDk2NGQ5YmZlODFj", "state": "CfDJ8J0brcCMivFPtUfbYRpOjISliA92IArZsJS1dmagQ9jYdvpmVj2ABROstPNhJyCWx8q4SntL6PXRubMgGqeUfdqWF0mNRAYifGy8OuEPZSQT295vWVfyN5gGhuvB6jQ043D14yUPLwkhS29IYfMoiliLQGatygTVnGMVJ7Bo-aV7FJcpHit-9b3RHRyaHiE0tToZdP8NxJInJ4vthIlXw1rgLjOmSqPxeN9KDfLgWrpki7XoBLkmV2K7px_GWp0ebaitkxnXTzDPg82M-nRJWfYLAXJ1nGvoZLD3GIXqFV22hDm0wmygbmRaMKezwZmHY12qr2pwa1N22aifJTZFzPY", "x-client-SKU": "ID_NET", "x-client-ver": "2.1.4.0" } } fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0] Request validation failed
What do you recommend me to do?
If you are using identity server 4, check your ClientRedirectUris table, check if your client has permission to redirect to your url. if not add new entry.
following figure shows the table:
Make sure your mvc client is running on http://localhost:5001
I was forced to change the url from http://localhost:5001/clientA to http://localhost:5001 in the hosting.json file. Otherwise I needed to use the UsePathBase middleware which mess up the redirect URL since it always adds the path to each incoming request.

Interface Between Google Sign-in and MailKit

I am writing an app in WPF (Windows 10 desktop) that should
include a component where the user can download message headers
and messages from G-Mail.
I am trying to use MailKit to interface with G-Mail via a secure
connection (without having to turn on "allow less-secure apps"
for G-Mail) and download messages with POP3. I am a bit confused
as to the proper procedure.
FYI: I know next to nothing about OAuth and TLS, so KISS please.
I have created and downloaded a JSON file for OAuth 2.0 from Google.
I have visited the FAQ for MailKit, and the following section
seems relevant, but I'm not sure as to what I should plug in
to the interface.
(Please see the code below.)
For "password", would that be the password for the account?
I'm not sure as to what to give for
"your-developer-id#developer.gserviceaccount.com".
.........................................................
https://github.com/jstedfast/MailKit/blob/master/FAQ.md#ProtocolLog
.........................................................
From the Q & A:
How can I log in to a GMail account using OAuth 2.0?
The first thing you need to do is follow Google's instructions for
obtaining OAuth 2.0 credentials for your application.
Once you've done that, the easiest way to obtain an access token is to
use Google's Google.Apis.Auth library:
var certificate = new X509Certificate2 (#"C:\path\to\certificate.p12", "password",
X509KeyStorageFlags.Exportable);
var credential = new ServiceAccountCredential (new ServiceAccountCredential
.Initializer ("your-developer-id#developer.gserviceaccount.com") {
// Note: other scopes can be found here: [links]
Scopes = new[] { "https mail google com " },
User = "username#gmail.com"
}.FromCertificate (certificate));
bool result = await credential.RequestAccessTokenAsync (CancellationToken.None);
// Note: result will be true if the access token was received successfully
// Now that you have an access token (credential.Token.AccessToken), you can
// use it with MailKit as if it were the password:
using (var client = new ImapClient ()) {
client.Connect ("imap.gmail.com", 993, true);
// use the access token as the password string
client.Authenticate ("username#gmail.com", credential.Token.AccessToken);
}
My next question: Would the user be able to access their own account(s)
with my app without having to follow the same procedure?
IOW: Will the credentials that I've downloaded work for any account?
... or allow access only to the account from which the credentials
were created?
If the credentials are only good for my own account, then I'll have to
do something else.
Would Google Sign-In be a better approach?
I've downloaded the example code for .NET from Google:
https://github.com/googlesamples/oauth-apps-for-windows
I've built and ran ran "OAuthConsoleApp", as well as "OAuthDesktopApp".
It would seem that I am getting a secure connection from those,
as I have gotten the following output:
.........................................................
redirect URI: http 127.0.0.1:64003
Listening..
Authorization code: qwerty ...
Exchanging code for tokens...
Send the request ...
GetRequestStream ...
await stream.WriteAsync ...
Get the response ...
responseText ...
{
"access_token": "qwerty ...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "qwerty ...",
"id_token": "qwerty ..."
}
Making API Call to Userinfo...
+++ userinfoResponseText : {
"sub": "117108120545711995673",
"name": "My Name",
"given_name": "My",
"family_name": "Name",
"picture": "qwerty ...",
"locale": "en"
}
.....................................................
I see that I have an "access_token" in the response and I thought
that I could plug that in to the "client.Authenticate" method for
MailKit as the password (as mentioned in the docs for MailKit):
string access_token = tokenEndpointDecoded["access_token"];
client.Connect ("pop.gmail.com", 995, SecureSocketOptions.SslOnConnect);
client.Authenticate ("username#gmail.com", access_token);
It threw an exception:
.....................................................
"POP3 server did not respond with a +OK response to the AUTH command."
at MailKit.Net.Pop3.Pop3Client.Authenticate(Encoding encoding,
ICredentials credentials, CancellationToken cancellationToken)
at MailKit.MailService.Authenticate(String userName, String
password, CancellationToken cancellationToken)
at
NS_MailKit_01.Pop3.cls_mailKit_Pop3_01.connect_and_authenticate(Object
p3_client, String p_access_token)
in :\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\Mail_Kit_01\MailKit_01.cs:line
465
at
LIB1_01_G_Mail_Auth.cls_G_mail_authorization.str_token_NTRF.invoke_access_token(String
p_access_token)
in K:\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\OAuth\oauth-apps-for-windows\OAuthConsoleApp\LIB1_01_G_Mail_Auth\G_Mail_Auth_01.cs:
line 95
at
LIB1_01_G_Mail_Auth.cls_G_mail_authorization.d__13.MoveNext()
in K:\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\OAuth\oauth-apps-for-windows\OAuthConsoleApp\LIB1_01_G_Mail_Auth\G_Mail_Auth_01.cs:line
343
.....................................................
Does anyone know how I could get a "credential" object from
the Google interface that I could use with MailKit?
Any help would be appreciated.
Thanks!
For "password", would that be the password for the account?
No. It would be the password for your PKCS12 file containing your X.509 Certificate and your private key.
I'm not sure as to what to give for "your-developer-id#developer.gserviceaccount.com".
You need to register yourself and your application with Google's Developer program which will give you a developer id to use. You need to follow their directions.

Resources