I am getting this error
{"error":"invalid_request","error_description":"Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"}
when some of my users use the LinkedIn login. It works fine for 70% of the users.
Can someone explain why is this happening..
I'm using running the application on a NodeJS server.
Related
I'm trying to register an application in Azure AD using Graph API with an oauth token obtained with the Authorization Code grant type. I can do it with Client Credentials, but not with Authorization Code. With the latter I can list applications, but not create them.
Here's the permissions I've set in the application:
And here's what I set in postman to get the token:
I get the token just fine and I can list the applications, but when I try to create a new one through the endpoint 'POST https://graph.microsoft.com/v1.0/applications' I get the following response:
Anyone knows why this is happening? Thanks!
According to the last screenshot you provided, it seems the process stopped at login page(the response body is the html of login page) when do authorization code flow.
I test it in my side(also in postman) but it works fine, below is my configuration in postman for your reference:
Although I didn't reproduce your problem in my test, but I can provide you some information about authorization code backend request to know what does the response in your postman mean.
When we do authorization code flow(not in postman) to get access token, there are two steps. First we need to request the url https://login.microsoftonline.com/{tenantId or commone}/oauth2/authorize?resource=https://graph.microsoft.com&client_id={clientId}&response_type=code&redirect_uri=https://hurytest&response_mode=query in your browser like below screenshot.
We can find the content in the red box in screenshot above is same to the response you get in postman. So I think the process stopped here(which is the first step of authorization code flow).
Second step, we need to input username and password into the login page. It will redirect to another page like below screenshot.
Copy the code after code= in the above screenshot and then use the code in below request to get access token.
In a word, I didn't reproduce your problem in my postman. But the backend request in your postman may stopped in the first step(login page) of authorization code flow which I mentioned above. So please check if you configured correct in postman. If still doesn't work, you can do authorization code flow by the two steps I provided to get the access token.
I'm trying to do an Authorization request following the documentation about it on Microsoft (Getting access on behalf of a user: https://learn.microsoft.com/en-us/graph/auth-v2-user). I'm making the request using Azure's Logic Apps. I already made an app registration in Azure AD and gave it the following permissions (I used the app for a few different requests before so that's why it contains a lot of unnecessary api permissions). I already succeeded in getting access without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service). Now I really don't know what I'm doing wrong, so if anybody has an idea of what it is, please let me know. I will try to explain as carefully as possible using screenshots so you guys get the idea of what I'm trying to do.
On the first screen below you can see the api permission I added to my app registration. For this request I'm only asking authorization for the one with arrow next to it(as you will see later on).
On the second screen you can see the HTTP post request I'm trying to make to the authorize endpoint. I blurred out the Tenant and Client_id for privacy reasons. I only added the required parameters in the body as described by Microsoft. In the scope parameter you can see the api permission I'm asking permission for.
On the third screenshot you can see the output of the request. Instead of getting an Authorization code as requested, I get an HTML body.
When I paste that HTML body into a browser it gives me the following result:
I have no clue what I'm doing wrong. I tripled checked to make sure cookies are enabled, made sure third-party cookies are not disabled and added login.microsoftonline to my trusted websites.
I'm starting to think I'm doing something very simple wrong, but I can't figure out exactly what. Any help is welcome! :D
Sorry can't add a comment so posting as an answer
What you are trying to implement is the Authorization Code grant flow of OAUTH 2.0. In Authorization code grant flow following steps occur
1) User is presented with the scopes that an application requires when accessing certain resources,
2) The user authorizes this. and the user is redirected to a redirect url
3) The application then exchanges the code sent with the redirect url to get the actual token which in this case will be sent to the Microsoft Graph for validation.
4) User then sees the information pulled.
The major crux of Authorization Code grant flow is that "User Authorization is required" This basically means that this flow is used when the call is invoked from a browser client where the user is actually interacting. This flow should not go through the Azure Logic Apps. If you want a service or a daemon to access the resources in that case you should use Client Credentials Grant flow
Salesforce token end point was working fine previously but recently it's password got expired. I asked SF team to extend the same password and after that I am able to login to SF portal and able to get SF access token using same password and security token by postman.
But when my prod application is making calls to SF it still gives same error message:
This session could not be mutually authenticated for use with the REST API","errorCode":"MUTUAL_AUTHENTICATION_FAILED"
Could you please help me that why after extending the same password (by changing some setting in sf) when the .net core application hit it, its getting same error message. Does it got cashed and SF service need to be restarted???
I get an authorization 401 error code when I try to delete a Group from the API in C# but if I try it in postman it succeeds. Feels kinda weird because I run the same command but it doesn't work...
The problem I think I have is that to DELETE a group in Office 365 I need to login to my account and that the application can't makes this action.
I gave all Group.ReadWrite.All access and all other permissions for the application. So I think I need to pass my Login credentials for Azure AD or am I incorrect.
Request :
StatusCode: 401,
ReasonPhrase: 'Unauthorized',
Version: 1.1,
Content: System.Net.Http.NoWriteNoSeekStreamContent,
Headers:
EDIT
I tried to not use my GetAccessToken() and use the token I got when using OAUTH 2.0 verification in Postman. If I took that bearer token I had no problem running my script and using DELETE.
So my question what the difference of using ADAL in C# code and the call that Postman Auth2.0. When using Postman I get a login page where I login to my Azure account, can I replicate this in code? For the authentication in C# I use this example.
NEW EDIT
As one wrote in the chat, I checked the access token and what roles I had on a website.
roles: [
"EduRoster.Read.All",
"Mail.ReadWrite",
"User.ReadWrite.All",
"Calendars.Read",
"People.Read.All",
"Group.Read.All",
"Directory.ReadWrite.All",
"MailboxSettings.Read",
"Contacts.ReadWrite",
"Group.ReadWrite.All",
"Notes.Read.All",
"Directory.Read.All",
"User.Read.All",
"Mail.Read",
"Calendars.ReadWrite",
"Mail.Send",
"MailboxSettings.ReadWrite",
"Contacts.Read",
"Member.Read.Hidden",
"Notes.ReadWrite.All"]
Some clarification: If you have a token and it doesn't have the necessary claims/permissions to make the API call you are trying, you'll should get a 403 Forbidden. If the token is missing in the API request or malformed, you'll get a 401 Unauthorized. Please see https://developer.microsoft.com/en-us/graph/docs/concepts/errors.
Are you making direct HTTP REST calls to Graph, or are you using the client library? I suggest that you look at some of our samples to get started for examples of token acquisition together with calls to Microsoft Graph. Try https://github.com/microsoftgraph/console-csharp-snippets-sample (uses a .Net client library) or https://github.com/microsoftgraph/aspnet-connect-rest-sample (uses direct HTTP REST calls).
Also are you acquiring a token in the context of a (signed-in) user, or in the context of the application (no signed in user)? If the former, you need to request a "delegated" permission. If the latter, you need to request an "application" permission. Please see these concepts: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user and https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
Hope this helps,
You're on the right track.
The Delete Group method support both Delegated (Authorization Code or Implicit OAUTH grants) and Application (Client Credentials OAUTH grant) models. Both Delegated and Application flows require the Group.ReadWrite.All scope.
The reason you're getting a 401 Unauthorized error is that your application hasn't received Admin Consent for the tenant you're connected too. When using Client Credentials there is no User to authenticate so before your application can interact with the tenant, an Admin must first explicitly authorize your application and the scopes you're requesting.
You can find a walk through at v2 Endpoint and Admin Consent.
I've implemented Facebook login workflow in my website using Satellizer, and it's working fine. But for some reason, some users that try to login don't get the code parameter sent to the server, just the clientID, so I can't exchange it with the access token to get them logged in. Why is this happening?