I'm able using postman to get an access token from Microsoft Identity Server 4.
This the response:
Now i would like to authenticate the token using the introspection endpoint, but the return is 401 unhautorized, maybe is missing some data into the request to introspect endpoint?
To access the token introspection enpoint in Postman, I use:
POST to https://localhost:6001/connect/introspect
Add the Authorization header, with the value "Basic cGF5bWVudDpteWFwaXNlY3JldA==". Where the secret is the apiname/secret. In my case it is payment and myapisecret as password.
Add a body x-www-form-urlencoded, with a key named token and the value is my access token.
That should be all.
Related
Here I'm trying post request send to ADO using Postman
I tried with Basic token in Postman to send post request, It worked with PAT like below:
I wanted to try without giving username and PAT in postman so, I generated bearer token by sending client ID & Secret to the below url
https://login.microsoft.com...//
I got bearer token as response, and pasted it in Bearer token box:
When I pasted that token in post man to send post request to ADO it is showing 401(unauthorized)
This is URL: https://dev.azure.com/{pipeline_name}/{organization_name}/_release?_a=releases&view=mine&definitionId=x
Please guide me where am I doing wrong while sending the request.
I think the core issue is that ADO does not accept Bearer Token but need to pass it as OAuth 2.0 token. Change the Authorization to Oauth2.0 and on the right side pane under Available tokens, put the value that you generated for token and test.
Screenshot attached for reference.
I am trying to access "https://graph.microsoft.com/v1.0/me/messages" API by JAVA SDK provided by Microsoft.
I am using the below code.
final AuthorizationCodeCredential authCodeCredential = new AuthorizationCodeCredentialBuilder()
.clientId("b****08f-*****-4d49-****-cba7d9a****c")
.clientSecret("8***7Q~GW0N******Y_N*****Zi******")
.authorizationCode("0.AVUAoIQSV...")
.redirectUrl("http://localhost/auth-responses")
.build();
Now it is giving me error like "The tenant for tenant guid '571284a0---****-a94eea6c6b3f' does not exist."
I tried the Same thing by postman, here I tried to get token by below end point.
"https://login.microsoftonline.com/common/oauth2/token"
after getting the token I am using it in "https://graph.microsoft.com/v1.0/me/messages" as Bearer Token. Still, I am getting the same issue.
But the token I am receiving in every case is not same as graph explorer Access Token
If I copy Graph Explorer Access Token and use it in postman then it gives me the desired result.
I am using a personal account for all of this process which ends with "#outlook.com".
I want to know why I am getting different access tokens than graph explorer access tokens and why that access token is not able to access the endpoints.
I have tested in my environment.
The access token generated from the Graph Explorer will be different from the access token generated from the Postman. This is because, the access token generated from graph explorer uses only the user credentials. The access token generated from postman uses client id and the client secret along with user credentials.
If the app registration supports Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox), then only you can use personal account to generate the access token and use it to call the request for https://graph.microsoft.com/v1.0/me/messages only if the app registration have Microsoft Graph mail.read delegated permissions.
Paste the below URL in the browser. The code will be generated. Copy the code.
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id=app-client-id
&response_type=code
&response_mode=query
&scope=mail.read
Make the below POST request in the postman to generate the access token :
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Headers :
Content-Type: application/x-www-form-urlencoded
Body :
client_id: App Client ID
grant_type: authorization_code
scope: user.read%20mail.read
code: Code received in the first step
client_secret: Client Secret Generated in the App
Copy the Access token and make the below get request in the postman to read the messages :
GET https://graph.microsoft.com/v1.0/me/messages
Headers:
Authorization : Bearer access-token
I'm using the /.auth/me endpoint to get claims for the users.
I'm obtaining the Bearer token in order to authenticate to the endpoint.
The endpoint itself is on an Azure Function origin, so what I'm calling is https://azure_function_name.azurewebsites.net/.auth/me with the Authorization header set to Bearer (token)
This works but not for all people.
Some people get the following response from the /.auth/me endpoint:
[]
Why the /.auth/me endpoint returns a valid response for some tokens (people) and an empty response for other?
I am using OAuth 2.0 auth code grant(with a user login) to get the access token. And I can get the correct response with endpoint /.auth/me. I have tried both Member or Guest users in my tenant.
You can try to access https://azure_function_name.azurewebsites.net/.auth/me directly. You will get the response after logging in.
The reply url should be https://azure_function_name.azurewebsites.net/.auth/login/aad/callback
Some background info:
I'm working on a two-factor authentication solution for some API by using
Azure AD
encoded api key
I'm able to get a valid access token pogrammatically to be used as authorization bearer token on the header request. Unfortunately, the API expects the 2) encoded api key to be delivered through the authorizaton field, and as such, I'm expected to use the pass AAD auth through a cookie instead.
If I direct chrome to my api and log in normally while capturing the traffic, I see that the cookie AzureAppProxyAccessCookie is set.
If i do a curl GET request with this cookie against my api, the response is successful.
TLDR/Actual question:
How can I obtain a valid AzureAppProxyAccessCookie programmatically when I already am able to obtain a valid JWT token?
I am attempting to convert over from the old Azure AD OpenId Connect to use the new Azure AD v2.0 endpoint as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
When I attempt to request a token via the v2.0 token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token
I get a response that only includes a 'token_id' field, and not a 'token_type', or any other fields. The library I am using to parse the response is nimbus.com library for openid and auth2. The OIDCTokenReponseParser throws an exception because the 'token_type' is missing from the response.
I have looked at the OpenID Connect Protocol specifications, and it says that a request to the token endpoint requires 'token_type', so it seems as though the response from the endpoint is invalid.
Has anyone run into this issue, and if so, how did you deal with it?
UPDATE 3/2/2018
My flow works with the old end point. I redirect the user here:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
The user logs in, and they are redirected to my app, and code is provided via a query parameter.
I turn around and make this request:
https://login.microsoftonline.com/common/oauth2/token?code={code}&grant_type=authorization_code&client_secret={secret}
And I get response that looks like this.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1520018953",
"access_token": "{token}",
"refresh_token": "{token}",
"id_token": "{token}"
}
I try to handle v2.0 version the same way. I redirect the user to:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
And after they sign in, they are redirected back to my app with the 'code' as a query parameter.
I then send this request:
https://login.microsoftonline.com/common/oauth2/v2.0/token?code={code}&grant_type=authorization_code&client_secret={secret}&redirect_uri={uri}&client_id={id}
But this is the response I get:
{
"id_token":"{token}"
}
The scopes you've requested can all be satisfied with the contents of the ID Token only. In your Auth Request, try including a scope that would indicate that you need an access token (e.g. https://graph.microsoft.com/User.Read), and the response will have the expected token_type and access_token.