"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.
This is the error I am getting while exchanging my client side token to server-side token.
I gave all additional consent.
client_id: ****,
client_secret: ***,
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: clientSideToken,
requested_token_use: 'on_behalf_of',
scope: 'https://graph.microsoft.com/User.Read'
This is my request body for the consent
Based on your error message, I guess this should be caused by you not setting the request parameters correctly. You should put the request parameters in the request body.
Related
I used request below and it worked before, but today when I want to get an access token, it crashed.
Request:
Post https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type:application/x-www-form-urlencoded
client_id=azure_Ad_client_id
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials
Error message: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
The same for auth code flow:
=================================================
I do have a origin here, but I didn't set it. How can I remove it?
I don't have redirect URL in SPA platform.
===========================================
With Postman it's OK
I tried to reproduce the same in my environment and got the same error as below:
The error "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type" usually occurs if the application has been registered as SPA or if the origin has been added as the header while requesting the access token.
Check whether the Azure AD Application is registered as SPA in the Portal like below:
Check whether you have added origin header while generating the access token, if yes then uncheck it:
I registered an Azure AD Application like below:
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
Even using authorization code grant flow, I am able to generate the access token successfully as below:
GET
https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
This happened to me as well, it worked last week.
I think the issue might be that the extension somehow cannot avoid sending the Origin-header. Click the arrow on "COMPLETE REQUEST HEADERS" to expand it, and verify that Origin-header is indeed sent.
There is also text at the bottom:
"Note: XHR automatically adds headers like Accept, Accept-Language, Cookie, User-Agent, etc."
I think something has happened with either Chrome, or the Talend-extension itself that means it adds fields according to XHR. I assume this wasn't the case earlier...
AFAICS the extension has all the permissions needed to skip those, but still sends them.
To be precise, In order to make api requests to aws services over http, one must sign the requests using Sigv4 process(recommended by aws, described here https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html ). It has a sophisticated procedure in which the http request headers must be included in sign. I've added the essential headers for signing through Authorization header for createLogStream action of Cloudwatch logs service,
'Host': 'logs.<region>.amazonaws.com',
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Date': <AMZ_DATE>,
'X-Amz-Target': Logs_20140328.CreateLogStream,
'X-Amz-Content-Sha256': <PAYLOAD_HASH>,
And making a Http request to https://logs.{region}.amazonaws.com/?Action=CreateLogStream&version={version} from the frontend application.
However, the following response error (400) occurs,
message: "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."
__type: "InvalidSignatureException"
I have checked the secret access key and the signed headers, they were fine;
If I remove Content-Type header, I get a successful 200 response, but the response results in
{Output: {__type: "com.amazon.coral.service#UnknownOperationException", message: null}, Version: "1.0"}
One of the solutions to fix this issue recommends to add the Content-Type header (com.amazon.coral.service#UnknownOperationException when triggering CodeBuild from API Gateway).
Should Content-Type header be included? Would be great if any help on what headers must be included and the specific api version for Cloudwatch logs to be set ?
Thanks in advance!!!
I built an app in my Azure ad b2c tenant and configured it as shown, but why can't I request an access token in postman?
app registration
API permissions
postman screenshot
Here are the links to the two documents I follow:
Register a Microsoft Graph application
Get access without a user
One thing I noticed is that the parameters for the token request should be in the body as form parameters, like this:
You should use the parameters you've defined here though, this screenshot shows a test request for the ROPC flow so the parameters in the picture are not valid for your use case.
So instead of entering the parameters in Params, enter them in Body tab after selecting x-www-form-urlencoded as the type.
Please input the params in "Body" tab of your postman but not "Params" tab. Shown as below screenshot.
In order to get token you need to pass grant_type in request body and value should be password.
For example
Method Post: https://login.microsoftonline.com/YourTenantID/oauth2/v2.0/token
And in body you need to ppass
client_id : Your app client ID
scope: user.read%20openid%20profile%20offline_access
username: Your username
password: your password
grant_type: password
client_secret: you app registration secret
I tried many times to put into body with JSON format or in parameter or put into Parameters, but I did not work. And it works for me when I put into Body with type is x-www-form-urlendcoded.
[Image]: https://i.stack.imgur.com/tguZc.png
I need to identify type of authorization on web-site to set-up this authorization in soapui request.
When I log in there is 'auth' POST-method detected in google chrome Network tab: https://xx.xx.xx.xx/services/auth? with payload {"login":"some_login","password":"some_passw"}
And when I do this request in SoapUI as POST HTTP request: https://xx.xx.xx.xx/services/auth?login=some_login&password=some_passw ; there is a responce of json format which contains "token": "eyJ0eXAiOiAiSldUIiwgImFs..."
I want to set up athorization for another method on this web-site, so first of all I need to know the type of authorization to set up in soapui Auth Tab:
UPDATE:
Token is not used in HTTP request types, it is available in e.g. REST request:
But I still can not make this token work
It seems that I was looking for the wrong type of athorization. All above is about server uthorization. But I need to complete web-app authorization.
So just using token in Header params of SoapUI did the trick:
I am attempting to convert over from the old Azure AD OpenId Connect to use the new Azure AD v2.0 endpoint as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
When I attempt to request a token via the v2.0 token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token
I get a response that only includes a 'token_id' field, and not a 'token_type', or any other fields. The library I am using to parse the response is nimbus.com library for openid and auth2. The OIDCTokenReponseParser throws an exception because the 'token_type' is missing from the response.
I have looked at the OpenID Connect Protocol specifications, and it says that a request to the token endpoint requires 'token_type', so it seems as though the response from the endpoint is invalid.
Has anyone run into this issue, and if so, how did you deal with it?
UPDATE 3/2/2018
My flow works with the old end point. I redirect the user here:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
The user logs in, and they are redirected to my app, and code is provided via a query parameter.
I turn around and make this request:
https://login.microsoftonline.com/common/oauth2/token?code={code}&grant_type=authorization_code&client_secret={secret}
And I get response that looks like this.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1520018953",
"access_token": "{token}",
"refresh_token": "{token}",
"id_token": "{token}"
}
I try to handle v2.0 version the same way. I redirect the user to:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
And after they sign in, they are redirected back to my app with the 'code' as a query parameter.
I then send this request:
https://login.microsoftonline.com/common/oauth2/v2.0/token?code={code}&grant_type=authorization_code&client_secret={secret}&redirect_uri={uri}&client_id={id}
But this is the response I get:
{
"id_token":"{token}"
}
The scopes you've requested can all be satisfied with the contents of the ID Token only. In your Auth Request, try including a scope that would indicate that you need an access token (e.g. https://graph.microsoft.com/User.Read), and the response will have the expected token_type and access_token.