Unable to generate access token for microsoft graph online meeting api - azure-active-directory

I have tried everything but somehow unable to generate token or the token that is generated does not work. Please help with what I am doing wrong. I want the token to create an online meeting.
Sharing requests below which I have tried
Generate token with client credentials grant type
REQUEST:
POST 'https://login.microsoftonline.com/CXXXXXXX/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'password=CXXXXXXX'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=OnlineMeetings.ReadWrite'
--data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
--data-urlencode 'username=CXXXXXXX#gmail.com'
--data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'
Save the token generated- Using this in https://graph.microsoft.com/v1.0/me/onlineMeetings gives error - Access token validation failure. Invalid audience
Use this token as assertion as follows
POST 'https://login.microsoftonline.com/learn123456789.onmicrosoft.com/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer'
--data-urlencode 'scope=OnlineMeetings.ReadWrite'
--data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
--data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'
--data-urlencode 'resource=https://graph.microsoft.com/'
--data-urlencode 'requested_token_use=on_behalf_of'
--data-urlencode 'assertion=tokenFromFirstAPI'
Also tried this api
https://login.microsoftonline.com/common/oauth2/authorize?client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX&response_type=token&resource=XXXXXXX6-ba00-4fd7-XXXXXXXXX3
Error is
Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was '00000002-0000-0000-c000-000000000000' and the expected audience is 'clientID' or one of the Application Uris of this application with App ID XXX. The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.
No token works in this - https://graph.microsoft.com/v1.0/me/onlineMeetings
Getting - "Access token validation failure. Invalid audience.",
Please help, what am I doing wrong?

Thanks Carl bit it did not work
Have even given all the permissions as suggested above.
ERROR- Bad Request - 400 - 819ms
{ "error": { "code": "AuthenticationError", "message": "Error authenticating with resource", "innerError": { "date": "2020-12-27T09:36:57", "request-id": "4e01eff1-9eb5-42dd-9009-dbdd85aca49a", "client-request-id": "5effa441-d7f6-5ef7-5066-1d7153f39712" } }

As your error message says, your token audience is invalid , because you set the wrong scope when requesting the token. You should set the scope to https://graph.microsoft.com/.default or https://graph.microsoft.com/OnlineMeetings.ReadWrite, in addition, the api call only supports delegated permissions, so you can't use the client credential flow to get the token. For the /me endpoint, the user needs to log in, so you need Use auth code flow to obtain an access token.
Or, there is a simpler method, you can use Graph Explorer to test, you only need to log in to the user and add permissions.
Update:
I noticed that you use 3 methods to get the token.
First of all, for the first method, you are using a v1.0 endpoint and use the client credential flow to obtain the token. What you need to pay attention to is that when you use v1.0 authentication, you cannot use scope, you should use resource. In addition, when you use the client credential flow, you cannot use the v1.0 version , you need to use the beta version, and because the client credential flow is a flow without user login, you cannot call the /me endpoint, you should call the /users endpoint. (Note: When you use the beta version and use the client credential flow, according to the documentation: Administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).)
The complete request is:
POST https://login.microsoftonline.com/{tenant}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-xxxxxxxxxx
&resource=https://graph.microsoft.com/
&client_secret=qWgdYAmab0YSkuLxxxxxxx
&grant_type=client_credentials
api call:
https://graph.microsoft.com/beta/users/{userId}/onlineMeetings
For the second method, I noticed that you are using OBO flow, and then you pass in the wrong access token obtained by the first method as an assertion, so the access token you obtained using this flow is definitely not correct. . In addition, if you don't have a back-end API, please do not use this flow. This flow requires you to have a middle-tier API, and it is cumbersome to use.
Your third method is also wrong, your resource should be: https://graph.microsoft.com
To summarize: If you want to use the client credential flow without user login, please refer to my update. If you don't have a backend api, please do not use OBO flow.

IMAGE of ERROR
Error in following URL
"message": "Error authenticating with resource",
https://developer.microsoft.com/en-us/graph/graph-explorer

Related

Amazon SP API getting internal server error

I am trying to get access token from api https://api.amazon.com/auth/o2/token
POST /auth/o2/token HTTP/l.l
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=refresh_token
&refresh_token=Aztr|...
&client_id=foodev
&client_secret=Y76SDl2F
But after POST request I get 500 server error.
Is it because my app is in draft status? or I am missing something while making request?
If it because of draft status then when the status will get change? any thoughts on this.
Thank you for your help in advance.
The documentation is wrong. I was getting the same exact error and came across this comment on a github issue which mentioned that the data has to be passed into the body of the request, not as query string parameters. Sure enough, this worked for me and I was able to get an access token. So just to clarify: grant_type, refresh_token, client_id, and client_secret should be passed into the body of the POST request to https://api.amazon.com/auth/o2/token and NOT as query string parameters.
Draft status will not keep you from requesting and receiving the access token.
Here are a few things to check as not much can be derived from the example post request from the documentation:
Did you configure AWS IAM role / policy / user properly
Did you use the correct IAM ARN when registering the application
Are you using the correct LWA credentials (I am assuming you're not passing foodev and Y76SDl2F as those are example parameters)
Have you self authorized the application (are you using the refresh token generated
for the authorized application)
Are you 'assuming the role' before the token exchange -- this is a very important step
and is very different in comparison to how access was handled with MWS -- if
you have not, the server will reject the token exchange regardless if the refresh
token is correct. More on that here
This is a non-exhaustive list, just some common issues I have seen other developers have with getting the access token during development, if these don't work you'll need to work with support as they can see the requests hitting the token endpoint.

Invitations API returns 401 Access token validation failure. Invalid audience

I have an MSDN subscription linked to my Personal account. I am trying to write and Web Application which can invite users users using the Invitation API, https://graph.microsoft.com/v1.0/invitations.
I tried to get an token using the Client Credentials flow and then call the above API but getting an invalid audience error. I checked the token and the aud claim is set to 00000002-0000-0000-c000-000000000000 which i think is Graph API. I set the Scope as https://graph.microsoft.com/.default while getting the token
Can some one help me what is that i am doing wrongly or is this scenario not supported
Since you are trying with your personal account which is not supported at this moment as you could see on screenshot below:
You could have a look on official document here
I have tried below way and worked for me:
Request:
{
"invitedUserEmailAddress": "kironTest#email.com",
"inviteRedirectUrl": "https://myapp.com",
"userType":"Guest"
}
Response:
Make sure your token has required permission like below:
You could check your permission here https://jwt.io/
Hope that would help.

What Scope and or resource to set to get token that works with office 365 api?

We have acquired the Admin consent in both delegated and application ServiceHealth.Read permissions in Office 365 Management API for our Client app in Azure AD.
We are unable to figure out what the scope and or resource needs to be in token acquisition process if we want to make calls to the office365 management api.
Whether its the client_credentials grant method of direct token acquisition
Or the authorization code then token for signed-in user method
It would be preferable if its for the client_credentials grant method, but if it has to be through auth code, that's fine too.
We can use the following already to grab our reports but do not know how to allow that authentication to also cover Office365 Management API Service Health
curl --location --request GET "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data "client_id={clientid}&client_secret={clientsecret}&scope=https://graph.microsoft.com/.default&grant_type=client_credentials"
When adding ServiceHealth.Read to the end or by itself it returned invalid_scope as an error
When place only https://manage.office.com/ServiceHealth.Read/.default in the scope it gives the error invalid_resource with the description including that the resource not found in tenant
A similar problem occurred when trying to get the authorization code and setting the resource as ServiceHealth.Read and while setting that as the scope instead gave a authorization code, the resulting token was deemed invalid.
Authorization Code Grant Flow
I quickly tried this out with an Azure AD app registration that has ServiceHealth.Read delegated permission for Office 365 Management APIs.
Scope value used - https://manage.office.com/ServiceHealth.Read
I was able to successfully get back an access token following the Authorization Code Grant flow. I'll share the detailed request parameters passed shortly, but this should answer your direct question about what scope value to use.
Since I used Azure AD V2 endpoints, I didn't really need to specify a resource. In your sample requests mentioned in question I see that you are also using Azure AD V2 endpoint.
Detailed steps
Step 1 - Get the Authorization Code
For this step, I directly used browser and then sign in using a valid user from my Azure AD tenant.
// Line breaks only for clear reading. Remove line breaks and paste in browser URL to test.
https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=29a95b.....
&response_type=code
&redirect_uri=https://rohitapp/
&response_mode=query
&scope=https://manage.office.com/ServiceHealth.Read
&state=12345
Response should be something like
https://rohitapp/?code=
OAQABAAIAAACQN9QBRU....
&state=12345&session_state=f5da06....
Step 2 - Acquire Token from token endpoint
Take the Authorization code from last step.
For this step I used POSTMAN. You can use CURL as well.
POST https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Request Body
client_id=29a95b....
&scope=https://manage.office.com/ServiceHealth.Read
&code=OAQABAAIAAACQN9QBRU....
&redirect_uri=https://rohitapp/
&grant_type=authorization_code
&client_secret=Aj....
Final Token received, decoded in https://jwt.ms
Client Credentials Grant Flow
Scope value used - https://manage.office.com/.default
I did add the related app permission and give consent for it.
For this one I used POSTMAN again. You can use CURL as well.
POST https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Request Body
client_id=29a95....
&scope=https://manage.office.com/.default
&grant_type=client_credentials
&client_secret=Aj....
Final Token received, decoded in https://jwt.ms
Take a look at this Microsoft documentation around scope value for Client Credentials Grant.

Create Google Cloud Project with Cloud Resource Manager API

I'm trying to create a new project in the Google Cloud Platform using the Cloud Resource Manager API.
It all works fine when I use it through the API explorer however I don't quite understand how to use it as an http request outside of API Explorer.
I run the request like this:
curl -H "Content-Type: application/json" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response&key={MY_APY_KEY}
Response:
{
"error": {
"code": 401,
"message": "The request does not have valid authentication credentials.",
"status": "UNAUTHENTICATED"
}
}
The documentation says that this request requires an OAuth scope and that's when things get confusing to me.
Reading the documentation I could not understand how one of the required OAuth scopes can be passed with the URL when making the http request to the rest API which I'm only assuming is what I'm missing.
Rather than just tell you how to test with a working token, I'm going to try to more broadly answer what you're aiming to do.
At a pretty high level, you will need to:
Enable the Resource Manager API for your Cloud Console project.
Create an OAuth client ID for Web applications in the Cloud Console. You will need to register your authorized redirect URI. This is where your app will get the OAuth response back from Google when the end user authorizes your app. Note the client ID, you will need that next.
Start the OAuth flow by assembling your URL:
https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=<123456789example>.apps.googleusercontent.com&
scope=https://www.googleapis.com/auth/cloudplatformprojects&
redirect_uri=http://<YOUR-APP-URL>/<YOUR-OAUTH-HANDLER>
Replace in that URL the client ID and the redirect URI. I assume you'd have a button or link on your site where you would have the user click to start this flow.
Code your OAuth handler. Some more in-depth code for doing this in Go can be gleaned from this Go Sample, which was originally for G+ sign-in but much of the logic is going to be the same. You are going to get a code query parameter passed to your application, the value is a one-time authorization code that your application must exchange for your OAuth tokens that you use to make API calls on behalf of the user.
If appropriate for your app and situation, securely store your tokens for use later or for processing while your user is not active on your site (might be appropriate for batch processing).
Now that you have an access token, you can pass that to the Resource Manager API and create projects on behalf of the user. You might use the Go client library or you could call the HTTP endpoints directly in your code.
If you want more testing with curl, I'd follow the process that we wrote up accessing the App Engine Admin API. Substitute Admin API URLs and names for Resource Manager and you've got the overall flow. The difference from what's above, is I used a code flow above because I assume you want server-side and possibly refresh tokens if you need to be able to make these API calls while the user is not active on your site.
Like Alex says, you ask for scopes during OAuth authentication. One way to easily authenticate and obtain a Oauth access token is doing:
gcloud beta auth application-default login --scopes=https://www.googleapis.com/auth/cloudplatformprojects
As you can see, you can specify the scopes you want to gcloud and it will take care of authentication for you.
Then, you should be able to create a project calling:
curl -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud beta auth application-default print-access-token)" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response
Here, you are passing the access token obtained when you made Oauth authentication. This should be taken care of by the client libraries for you when you get the application default credentials.

Connection Refused using access token from OAuth 2.0 User-Agent Authentication from Salesforce

I'm using OAuth2.0 User-Agent Authentication flow to get the access & refresh tokens so that I can use the Foce.com REST API over remote access. Now, the problem is that I'm able to authorize successfully and recieve the tokens, but while using those tokens just after authorizing my client application, I'm recieving a java.net.ConnectException: Connection refused error.
Following Steps I'm doing
Redirecting to
https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id={my_client_id}&redirect_uri={my_redirect_uri}&state=myState
Authorizing the app in salesforce and then receiving back the access token and refresh tokens in the hash of the redirect_uri as
{my_redirect_uri}#access_token={my_access_token}&refresh_token={my_refresh_token}&instance_url=https%3A%2F%2Fap1.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D90000000gscOEAQ%2F00590000000sdtJAAQ&issued_at=1351151192815&signature={my_signature_value}&state=myState
&scope=id+api+refresh_token
Now I'm using the REST API using the same access token by doing a POST to
https://ap1.salesforce.com/services/data/v20.0/sobjects/Lead/
with request headers:
Content-Type: application/json
Authorization: OAuth {my_access_token}
I have not escaped the access token while sending the post as it needs to be done when using CURL. Is that needed when using HttpClient Java API also?
The response that I'm getting is "java.net.ConnectException: Connection refused error."
Can someone please let me know what I'm doing wrong or how I can debug it further ?? Is there any way to see whats happening at Salesforce end? Some logs may be ?
I'm getting the exact same connection refused error if I try OAuth Refresh Token Process also.
Sorry for the noise.
I was getting "invalid_grant" with "expired access/refresh token" while validating the customer secret using the Refresh Token Procedure but since it was secured transmission so all I was getting in Java was "Connection Refused" with no detailed error message.
I got to know the detailed error by Setting up SSL Proxy in Charles as described here. After that I was able to see the request parameters and response send to https://ap1.salesforce.com which was earlier not readable.

Resources