I just setup a Azure Active Directory tenant and I have an application using oAuth2 Implicit Flow. I get the following error
"_error":"AADSTS700051: response_type 'token' is not enabled for the application.
Is there a configuration setting in the Azure AD dashboard tenant that resolves this error?
'token' is not enabled for the application
I have ever got this error, you could follow how Rohit said to fix this. You could modify the app manifest or select token in the Authentication (only for app registered in App registration(preview).
In the app manifest:
In the App registration (preview):
Related
I have an application stack with a React SPA frontend and an Asp.net core web-api backend. Both resources had been successfully registered in AzureAD each with its own app and the authentication and authorization processes are working fine. However, would it be possible to use the same registration for both the front and backend in AD?
When using the AD Application ID from the backend in React:
auth: {
clientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
authority: "https://login.microsoftonline.com/<tenantId>",
redirectUri: "http://localhost:3000"
}
I get the following error:
ServerError: invalid_request: AADSTS90009: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
I am using the MSAL library for the frontend.
Both the applications (front end and back end) need to be registered for sure in Azure AD.
As you are using client id of backend which is api to be secured , the Error is occurring.
Update client-id, tenant-id, redirect URI of front end application not backend api in configuration file based on application registration in Azure AD.
Then make sure to expose an API and grant admin consent to the API with required permissions.
Yes, this is possible. Your provider configuration looks correct, so check to make you app registration is setup properly. You will need the following things:
An SPA platform configuration with a redirect URI of http://localhost:3000
Add a scope (under 'Expose an API') and make sure your Application ID URI is created
Use the new scope in your MSAL authentication template
I'm trying to write an R package to let users access the files in their OneDrive folders from R. The API is Microsoft Graph.
Everything is working fine with OneDrive for Business (which is basically SharePoint under the hood, as I understand it). However, I can't get it to work with personal OneDrive.
Custom app registration, consumers authorization endpoint
When I use an app registration under my own AAD tenant, I get the following error from the consumers AAD authorization endpoint:
AADSTS50020: User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'Consumers' and cannot access the application 'd44a05d5-c6a5-4bbb-82d2-443123722380'(AzureRtest_cli) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Custom app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
From this page it appears that the token should be for the tenant 9188040d-6c67-4c5b-b112-36a304b66dad instead of the generic consumers. When I tried that, I obtained a seemingly valid token. However, talking to the https://api.onedrive.com/v1.0/drive endpoint results in a cryptic 401 error.
Azure CLI app registration, consumers endpoint
As a hack, I tried piggybacking off the Azure CLI's app registration. This fails with
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization. Visit https://identitydocs.azurewebsites.net/static/aad/preauthorization.html for details
Azure CLI app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
Finally, I tried using the CLI app registration with this tenant, which also failed:
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
What are the exact steps I need to do to get to my personal OneDrive?
It turns out I had a bug in my code: I was using the tenant consumers.onmicrosoft.com instead of consumers. The process to communicate with Graph for personal OneDrive that worked for me was:
Use the authorization code flow as described here, with the following specs:
tenant: consumers
client id: for my custom app registration
scope: https://graph.microsoft.com/{scope} offline_access openid where the scope is one of those listed here
Use the API endpoint https://graph.microsoft.com/v1.0.
With regard to that last point, note that the documentation here is incorrect or at least outdated, as it still gives https://api.onedrive.com/v1.0 as the endpoint for personal OneDrive requests.
I have configured Azure AD multi-tenant autentication by following this article: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=applications
The authentication worked on friday last week, but now its suddenly failing. I tried to re-register the application in Azure AD with new App Id and new App secret that was added in both ends.
Error i'm getting:
Sorry, but we’re having trouble with signing you in.
AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.
Am I overlooking something obvious?
Authentication is used with a SPA Web App using React with react-aad-msal
Solution: Changed platform configuration from SPA to Web solved it.
I have code working in development that authorizes against Azure AD in a multi-tenant setup using the MSAL library (with the Microsoft Angular wrapper for MSAL).
This code all works as expected when I am running it against localhost:5001.
My configuration contains a redirectUri for https://localhost:5001 and my application in Azure AD has its "Redirect URI" value set to the same.
However, when I move this to production, it is continuing to try to redirect me to localhost:5001 on a successful AD authentication, even though I have changed my redirectUri in my configuration, as well as the Azure B2C application "Redirect URI", to now be the production site at:
https://[mysite].azurewebsites.net
Where is it still getting localhost:5001 from? I searched my code/configuration and this value does not exist. It is not currently in Azure AD for the Application. I have stopped and restarted my App Service to no avail.
The redirection it is trying to make is to:
https://localhost:5001/#id_token=eyJ0eXAiOiJKV1Qi ...
I was able to work around this issue by deleting the Azure AD App Registration and creating a new one from scratch with the proper endpoints.
For some reason, it was not "holding" the change when the endpoint URLs were edited and saved. It showed the correct endpoints in the Azure AD control panel for the App Registration, but it was still redirecting to localhost.
When I deleted and re-created, it properly forwarded the replies to the production site.
I am unsure at this time if this is an issue on Microsoft's side or not, but this conclusively resolved the issue.
Registering a new application solved this issue.
No need to delete and register a new application. Simply update the replyUrlsWithType attribute on the Azure Active Directory app manifest file to point to the new domain, url or location:
"replyUrlsWithType": [
{
"url": "https://localhost:4400/services/office365/redirectTarget.html",
"type": "InstalledClient"
}
],
See this link for more information: https://learn.microsoft.com/en-gb/azure/active-directory/develop/reference-app-manifest?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps
I have a built a .NET Console app. It uses MSAL for interacting with Azure AD and Azure AD B2C. This app is a sample to show the various ways to connect to Org, Social & Local Accounts.
I’m able to do Signup and Signin with local account without any errors. When I try with Multi Tenant Azure ID or even a single tenant, I get the following error. I’m confused as to which application is this that is missing the ReplyURL. Appreciate guidance.
Azure AD B2C App
Type: Native Application
Redirect URIs: urn:ietf:wg:oauth:2.0:oob, https://login.microsoftonline.com/tfp/oauth2/nativeclient
Custom Redirect URIs: https://login.microsoftonline.com/tfp/oauth2/nativeclient, com.onmicrosoft.<tenantname>.MythicalB2C://redirect/path
Azure AD App
Type: Native Application
Redirect URIs: urn:ietf:wg:oauth:2.0:00b, https://login.microsoftonline.com/common/oauth2/nativeclient
I get the following error when using Org Account
Additional technical information:
AADSTS50011: Reply address '' specified by the request is not a valid URL.
Allowed schemes: '*'