Bearer token is not valid when calling the graph API - active-directory

I would like to see full information on my users in the AD (users in groups, etc...)
I already have an application that signs in to AD and then I get a bearer token that has access to my azure blockchain workbench API and everything works fine.
The workbench API has a users endpoint but the information is limited, it has first name, last name, email etc... and I would like to know more.
When trying to call the https://graph.microsoft.com/v1.0/me endpoint with the bearer token that I already have it is invalid and I get:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"requestId": "47322d1e-24d5-4170-ace5-947a8725ec1c",
"date": "2019-03-13T08:14:37"
}
}
I also tried a different approach. I have a service principal and gave this service principal an windows active directory basic info on users privilege. I also gave it a Microsoft Graph privilege and also a privilege to mu blockchain app (not sure if I need to).
I call https://login.microsoftonline.com/{{tenant-id}}/oauth2/token with the client credentials body and I get a bearer token. Now with this bearer token I get:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2a7febaa-a6db-4770-a323-1971fa0bf863",
"date": "2019-03-17T13:54:57"
}
}
}

Access token needs to be acquired for Microsoft Graph API as the resource.
In first approach, token that you already have for workbench api will not work for Microsoft Graph because that token is meant for Workbench API.. you can check this by looking at aud claim for that token. You can decode the token using https://jwt.ms
In second approach, token should work, as long as you specified the resource you're acquiring token for is https://graph.microsoft.com and not workbench API. If you still face issues, share the code you're using to acquire token or the decoded token itself (minus any sensitive info)

Related

No authorization information present on Microsoft Graph API request

I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn

Trying to use Graph API to get user's channels and post messages to MS Teams Channel from Web App

I'm trying to write a web app on our website which gets a User's MS Team channels and then posts a message to a channel of their choosing using MS Teams Graph API.
I'm about to get an access token using the OAuth API, and I'm passing access token (AAD token) to the /me/joinedTeams endpoint, it's giving me the below error:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"date": "2021-05-14T20:57:03",
"request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806",
"client-request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806"
}
}
}
Screenshot of my Graph Explorer results
UPDATE:
I have gotten my account converted to a Work account, and added the permissions. Now I am getting this response/error:
Screenshot of new Graph Explorer results
It's better for you to share how to get an access token using the OAuth API. In this issue , it seems your signed-in user is a personal Microsoft account, that's not supported to access the /me/joinedTeams endpoint. Doc of this API.
There are some notes here:
When using Graph Explorer, access token is here after login. You don't need to add bearer token in Request headers.
You have to sign in with a work or school account, and you need to consent one of the required permissions in "modify permissions(Preview)".

Call Microsoft Graph API to get user in Azure AD B2C

I have an android application that uses Azure AD B2C. Users can sign up using local account/email. Once the user logs into the android application, I'm trying to call the Microsoft Graph API to get the signed-in users details (specifically the Graph API UPN of the user, which is different than the UPN in Azure ad B2C).
The API call I'm trying to make is: https://graph.microsoft.com/v1.0/me
I added the bearer auth token I receive when the user logs in.
However, I receive the following error:
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-06-17T06:11:32",
"request-id": "b4e9757e-60d9-453f-820d-9f817831aa0c"
}
}
}
Any idea what I can do to get the user's Graph API UPN? Appreciate the help!
This error occurs when the token used is invalid. If you want to get the logged-in user information, you can request the API at here.
Don't forget to grant administrator consent for this permission,please checkhere.
Update
For Azure b2c users, it is currently not possible to call the Graph API.https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/526

Can I get an id_token from Azure AD for my app?

Using the client_credentials flow in Azure AD, I am unable to retrieve an id_token for my app.
I am experimenting with the Azure AD OAuth/OpenID endpoints, and running into some questions.
I create a simple app with minimal config through the Graph API (a beta endpoint, but still). I have removed all the headers and anonymised in code snippets below:
curl -X POST \
https://graph.microsoft.com/beta/applications \
-d '{
"displayName": "App Name",
"passwordCredentials": [
{
"endDateTime": "2299-12-30T23:00:00Z",
"startDateTime": "2019-02-14T20:19:14.686691Z",
"secretText": "<SOME KEY>",
"displayName": "Client Secret"
}
]
}'
In the response from Azure AD, I get an appId:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications/$entity",
"id": "<SOME GUID>",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "<SOME GUID>",
...
This is enough for me to be able to retrieve an access_token from the v1 OAuth endpoint:
curl -X POST \
https://login.microsoftonline.com/tenant_id/oauth2/token \
-d 'client_id=appId&client_secret=secretText&grant_type=client_credentials'
Response:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1550220412",
"not_before": "1550216512",
"resource": "00000002-0000-0000-c000-000000000000",
"access_token": "<JWT access token>"
}
Since I didn't specify a resource in my call, I get the default Graph API resource.
Now, what I also would like to get is an id_token for my app. I have been able to get these tokens from other OpenID providers. However, the OpenID Connect Core spec. gives me reason to think that id_tokens are for end users only, not apps:
"The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims"
(From https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
Adding resource=openid to the POST to the token endpoint above won't work, since openid is a scope, not a resource.
Switching to the v2 endpoints, I get access to a scope parameter. I can obtain an access token from there by setting scope=https://graph.microsoft.com/.default, explicitly requesting the access I got by default through the v1 endpoint.
However, setting the scope to for instance scope=https://graph.microsoft.com/.default openid does not give me an id_token for my app, and the access token looks identical to the previous call.
Trying just scope=openid gives me the following error from Azure AD:
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid is not valid.
All this combined leads me to believe that the OpenID providers I have used and have issued id_tokens through the client_credentials flow are breaking the spec, and that id_tokens can only be obtained for end users (using the authorization_code flow gives me an id_token from Azure AD for myself without any issues).
Is this a correct conclusion, or can I force Azure AD to issue id_tokens to apps as well as end users?
An id_token is issued when a user signs-in. Client credentail flows have no user, so no id_token is issued.
you'd need to use a flow like authorization code grant or openID connect to sign a user in. The response will have a id_token.
You cannot use the client credentials flow to get the id_token for app-only, it only returns the access_token.

Authorization_IdentityNotFound on Microsoft Graph API request

I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,

Categories

Resources