We have a custom invitation flow, which receives a JWT in the id_token_hint parameter and extracts an email address from it.
That JWT has an expiry, and when a user clicks on an expired link, he is redirected to the login page.
Instead of redirecting the user to a login page, I want to intercept the error code that is returned from the invitation page in my application (using MSAL.js) and display an error message.
But the only form of "error code" that my application receives from the invitation page, is this:
AADB2C90208: The provided id_token_hint parameter is expired. Please provide another token and try again.
Correlation ID: e49dbe44-fc02-4379-86e5-12a1347d5cc3
Timestamp: 2019-08-27 08:00:53Z
In the local storage.
Now, my guess is that I rely on the code AADB2C90208 to know that I was redirected due to invalid token, but I have some doubts.
I can't find anything about that particular status code (AADB2C90208)
The error message is in plain text, I have to extract the code with some kind of string expression, which makes me think that this is not what Microsoft had intended.
What do you think?
When an error code is specific, dependency can be taken on the error code. There are plans from AADB2C to publish the error codes soon.
you can use this sample code to see how to user error codes
https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/blob/master/TaskWebApp/App_Start/Startup.Auth.cs#L87
Update
The error codes are documented here https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes
For this specific case -
AADB2C90208 The provided id_token_hint parameter is expired. Please
provide another token and try again.
Related
For my firebase web app (using v9 Javascript SDK), whenever a user updates their email, their token expires and they have to log back in. When a token expires, how can I find the reason for it expiring? (e.g. email change, logging out, suspicious activity, etc.) I want to know this so that when the user is redirected to the login page, I can explain to them the reason such as "you have been logged out because your token expired." As of now I have no way of telling whether the token expired from them logging out, or if it was due to an email change. onAuthStateChanged doesn't seem to provide this information since it only provides the User object. I know it's a simple question but I haven't been able to find this answer anywhere. Thanks for any help you can offer :)
I'm trying to do an Authorization request following the documentation about it on Microsoft (Getting access on behalf of a user: https://learn.microsoft.com/en-us/graph/auth-v2-user). I'm making the request using Azure's Logic Apps. I already made an app registration in Azure AD and gave it the following permissions (I used the app for a few different requests before so that's why it contains a lot of unnecessary api permissions). I already succeeded in getting access without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service). Now I really don't know what I'm doing wrong, so if anybody has an idea of what it is, please let me know. I will try to explain as carefully as possible using screenshots so you guys get the idea of what I'm trying to do.
On the first screen below you can see the api permission I added to my app registration. For this request I'm only asking authorization for the one with arrow next to it(as you will see later on).
On the second screen you can see the HTTP post request I'm trying to make to the authorize endpoint. I blurred out the Tenant and Client_id for privacy reasons. I only added the required parameters in the body as described by Microsoft. In the scope parameter you can see the api permission I'm asking permission for.
On the third screenshot you can see the output of the request. Instead of getting an Authorization code as requested, I get an HTML body.
When I paste that HTML body into a browser it gives me the following result:
I have no clue what I'm doing wrong. I tripled checked to make sure cookies are enabled, made sure third-party cookies are not disabled and added login.microsoftonline to my trusted websites.
I'm starting to think I'm doing something very simple wrong, but I can't figure out exactly what. Any help is welcome! :D
Sorry can't add a comment so posting as an answer
What you are trying to implement is the Authorization Code grant flow of OAUTH 2.0. In Authorization code grant flow following steps occur
1) User is presented with the scopes that an application requires when accessing certain resources,
2) The user authorizes this. and the user is redirected to a redirect url
3) The application then exchanges the code sent with the redirect url to get the actual token which in this case will be sent to the Microsoft Graph for validation.
4) User then sees the information pulled.
The major crux of Authorization Code grant flow is that "User Authorization is required" This basically means that this flow is used when the call is invoked from a browser client where the user is actually interacting. This flow should not go through the Azure Logic Apps. If you want a service or a daemon to access the resources in that case you should use Client Credentials Grant flow
I am trying to build a website where a user can log in via Azure AD B2C. After logging in, I'm trying to present a secure area where the user can change their Azure B2C user attributes (first name, last name, etc) via the Microsoft Graph API.
I am attempting to follow along with the Get a Token documentation
Everything is working up to step #3, where a call gets made out to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain an access_token using the code I received on my return URL.
Here's the general flow of what I am doing:
End user clicks a login link on my localhost site that links out to my Azure B2C tenant policy. Link looks something like this:
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/authorize
?client_id=[MyAppID]
&response_type=code+id_token
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.write
&state=[MyCustomState]&p=[MyCustomPolicy]
User logs in and gets redirected to the redirect_uri.
redirect_uri successfully recieves code, id_token, and state values.
I take the code value from that and makes a POST https://login.microsoftonline.com/common/oauth2/v2.0/token request with the following body:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
HTTP/1.1
grant_type=authorization_code
&code=[code]
&client_secret=[application secret]
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.readwrite
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
The response code I receive back from that endpoint is the above error message.
{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID:6d7a8e32-bcbf-4fc4-a37a-87dae4781b00\r\nCorrelation ID:252912b7-5775-491a-968f-00ab03696dd9\r\nTimestamp: 2019-06-2722:11:18Z",
"error_codes": [9002313],
"timestamp": "2019-06-27 22:11:18Z",
"trace_id": "6d7a8e32-bcbf-4fc4-a37a-87dae4781b00",
"correlation_id": "252912b7-5775-491a-968f-00ab03696dd9"
}
Other StackOverflow posts mention verifying that the redirect_uri's have to match between the initial login and the subsequent access_token requests. They appear identical to me, but I am still receiving errors.
Any ideas what could be going wrong?
This is something you need to understand about OAuth on B2C before you are able to successfully request for a token.
This error means that the requested scope (resource) can’t be accessed by you (login user) because of the lack of permissions.
So, to fix that, you need to grant these required permissions to access that resource, by following these steps:
Define a new scope.
Grant Admin consent on that scope.
Request that scope when you request for a token.
In other words, in B2C-->App Registrations--> (Your App), shown in the image below, start with “Expose an API”, here you define a new scope of access, scope of resources or API, just a metadata that you know it represents some resources or API.
Then you click on “API Permissions”, here you will add the scope you just created and grand admin access in needed. But al least you need to add permissions to your newly defined scope.
The third and last step is when you hit: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Make sure to pass the scope that you added. (Use the scope that you added)
The details are explained in here but I can simplify it for you.
configure b2c
So you need to go to your B2C
Seems you are trying to get access token using Authorization Code Grant V2.0
Your request doesn't match with Authorization Code Grant V2.0 format and you have encountered that error.
You should send token request for Authorization Code Grant V2.0 is like below:
Token Endpoint: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
client_id:b603c7be-_YourApp_ID-e6921e61f925
scope:https://graph.microsoft.com/User.ReadWrite.All
redirect_uri:https://www.getpostman.com/oauth2/callback
grant_type:authorization_code
client_secret:Vxf1SluKbgu4P_YourAppSecret_DSeZ8wL/Yp8ns4sc=
code:OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXrnBIp82sWR1nC
See Screen shot for details:
I call a dahua API for preset response in angular js but it gives me a 401 Unauthorised error.
My code is below :
var streamurl='http://admin:123456#192.168.1.202/cgi-bin/ptz.cgi?action=start&channel=0&code=PositionABS&arg1=180&arg2=190&arg3=10';
$http.get(streamurl, { withCredentials: true })
.then(function(response2) {
console.log(response2.data);
});
I could be wrong but I think you are getting login screen with that request. I've read through documentation and I have found your way of authentication only working on rtsp:// protocol, and for http I believe you should modify headers, and encode your username/pasword to base64, here's documentation:
ftp://ftp.wintel.fi/drivers/dahua/SDK-HTTP_ohjelmointi/DAHUA_IPC_HTTP_API_V1.00x.pdf
Also you should probably use this since you are using AngularJS/NodeJS, it will make your life easier - or check how this guy did his authentication and "borrow" from him:
https://github.com/nayrnet/node-dahua-api
How to Fix the 401 Unauthorized Error
Check for errors in the URL. It's possible that the 401 Unauthorized error appeared because the URL was typed incorrectly or the link that was clicked on points to the wrong URL - one that is for authorized users only.
If you're sure the URL is valid, visit the website's main page and look for a link that says Login or Secure Access. Enter your credentials here and then try the page again. If you don't have credentials, follow the instructions provided on the website for setting up an account.
If you're sure the page you're trying to reach shouldn't need authorization, the 401 Unauthorized error message may be a mistake. At that point, it's probably best to contact the webmaster or other website contact and inform them of the problem.
The 401 Unauthorized error can also appear immediately after login, which is an indication that the website received your username and password but found something about them to be invalid (e.g. your password is incorrect). Follow whatever process is in place at the website to regain access to their system.
From https://www.lifewire.com/401-unauthorized-error-what-it-is-and-how-to-fix-it-2622934
in stackoverflow(stackexchange api, https://api.stackexchange.com/docs/authentication) it clearly mentioned about how to send user to the login page and get access token from it, but the details for accessing user data by using url and parameters is not available , please help me to find that way to get user data from stackoverflow with correct url and parameters,
1.Send a user to https://stackexchange.com/oauth, with these query string parameters
client_id
scope (details)
redirect_uri - must be under an apps registered domain
state - optional
2.POST (application/x-www-form-urlencoded) the following parameters to https://stackexchange.com/oauth/access_token
client_id
client_secret
code - from the previous step
redirect_uri - must be the same as the provided in the first step
But the url and parameters to get user data by using this access token is not available ,
You are right, the endpoints are not documented very well.
I would strongly suggest to take a look at the API explorer.
e.g. For user info of "me":
https://api.stackexchange.com/docs/me#order=desc&sort=reputation&filter=!9buxV.Gp.&site=stackoverflow&access_token=YOUROWNACCESSTOKEN&key=YOURAPIKEYIDONTKNOWWHY
Click "Get Token" (it seems you already have your access token, just for the Explorer)
Click "Run" :
You can debug the request in the "network" tab of your browser console (e.g. in Safari: right mouse click / copy as curl to know what's really going on)
--> The problem with the stackexchange API is that it does NOT seem to work to send a
Bearer TOKEN - instead you (and the API explorer) send the access_token as a GET parameter :
https://api.stackexchange.com/2.2/me?order=desc&sort=reputation&filter=withbody&site=stackoverflow&access_token=YOUROWNACCESSTOKEN&key=YOURAPIKEYIDONTKNOWWHY
The site parameter selects which profile of the StackExchange network you want.
[{"site":"http://stackoverflow.com","param":"stackoverflow"},{"site":"http://serverfault.com","param":"serverfault"},
{"site":"http://superuser.com","param":"superuser"},{"site":"http://webapps.stackexchange.com","param":"webapps"},
{"site":"http://gaming.stackexchange.com","param":"gaming"},{"site":"http://webmasters.stackexchange.com","param":"webmasters"},
{"site":"http://cooking.stackexchange.com","param":"cooking"},{"site":"http://gamedev.stackexchange.com","param":"gamedev"},
{"site":"http://photo.stackexchange.com","param":"photo"},{"site":"http://stats.stackexchange.com","param":"stats"},
{"site":"http://math.stackexchange.com","param":"math"},{"site":"http://diy.stackexchange.com","param":"diy"},
{"site":"http://gis.stackexchange.com","param":"gis"},{"site":"http://tex.stackexchange.com","param":"tex"},
{"site":"http://askubuntu.com","param":"askubuntu"}]