I am attempting to convert over from the old Azure AD OpenId Connect to use the new Azure AD v2.0 endpoint as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
When I attempt to request a token via the v2.0 token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token
I get a response that only includes a 'token_id' field, and not a 'token_type', or any other fields. The library I am using to parse the response is nimbus.com library for openid and auth2. The OIDCTokenReponseParser throws an exception because the 'token_type' is missing from the response.
I have looked at the OpenID Connect Protocol specifications, and it says that a request to the token endpoint requires 'token_type', so it seems as though the response from the endpoint is invalid.
Has anyone run into this issue, and if so, how did you deal with it?
UPDATE 3/2/2018
My flow works with the old end point. I redirect the user here:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
The user logs in, and they are redirected to my app, and code is provided via a query parameter.
I turn around and make this request:
https://login.microsoftonline.com/common/oauth2/token?code={code}&grant_type=authorization_code&client_secret={secret}
And I get response that looks like this.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1520018953",
"access_token": "{token}",
"refresh_token": "{token}",
"id_token": "{token}"
}
I try to handle v2.0 version the same way. I redirect the user to:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
And after they sign in, they are redirected back to my app with the 'code' as a query parameter.
I then send this request:
https://login.microsoftonline.com/common/oauth2/v2.0/token?code={code}&grant_type=authorization_code&client_secret={secret}&redirect_uri={uri}&client_id={id}
But this is the response I get:
{
"id_token":"{token}"
}
The scopes you've requested can all be satisfied with the contents of the ID Token only. In your Auth Request, try including a scope that would indicate that you need an access token (e.g. https://graph.microsoft.com/User.Read), and the response will have the expected token_type and access_token.
Related
I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn
I'm using the Google Smart Home action and my skill is successfully linked. Getting a below SYNC intent.
{
"requestId": "ff36a3cc-ec34-11e6-b1a0-64510650abcf",
"inputs": [{
"intent": "action.devices.SYNC"
}]
}
But not getting the Authorization token to call the cloud api (As we getting in Alexa), So how can I get the Authorization token?
Google attach user's access token on Authorization header when call your fulfillment URL, as the following document Fulfillment and authentication:
When you have authenticated a user, the user's third-party OAuth 2 access token is sent in the Authorization header when smart home intents are sent to your fulfillment.
I was able to resolve it by checking the API Gateway logs, I was receiving the access token on api gateway but api gateway was sending only body part to the function not the header.
So what you need to do is just add the header manually in the request(for your function) and then you will surely receive that access token.
I am trying to follow this Get access without a user to get access token. I am getting access token using API request https://login.microsoftonline.com/<-tenant-id->/oauth2/token. When i used step 5 for above given link i got the following error :
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"request-id": "e9e9820e-2a3f-411a-bc77-760c9369fc8f",
"date": "2020-01-02T06:17:41"
}
}
}
I have registered app with the following permission : Calendars.Read, Calendars.ReadWrite, Sites.Read.All, User.Read, User.Read.All and have generated secret key and registered redirect url as :
User.Read.All.
My questions are:
1. Have i done anything wrong while creating app?
2. Why step 4 is not working of the link?
3. Did i get wrong access access using the above given api request?
In step 5, it calls the Microsoft Graph - Get a user, so make sure your app has the User.Read.All Application permission in Microsoft Graph(must be application permission, not delegated permission), after adding the permission, it appears like below(Note: don't forget to click the Grant admin consent button)
In the doc you provided, it uses the v2.0 endpoint /oauth2/v2.0/token, but you use the v1.0 endpoint /oauth2/token in your question.
So please change the request URL to /oauth2/v2.0/token, then use the one below.
Request URL:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Request body:
client_id=xxxxxxxxxxxxxxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxxxxxxxxxxxxxx
&grant_type=client_credentials
You can get the token in the postman.
Then use the token to call the Get a user API:
GET https://graph.microsoft.com/v1.0/users/<object-id of the user>
I'm using the /.auth/me endpoint to get claims for the users.
I'm obtaining the Bearer token in order to authenticate to the endpoint.
The endpoint itself is on an Azure Function origin, so what I'm calling is https://azure_function_name.azurewebsites.net/.auth/me with the Authorization header set to Bearer (token)
This works but not for all people.
Some people get the following response from the /.auth/me endpoint:
[]
Why the /.auth/me endpoint returns a valid response for some tokens (people) and an empty response for other?
I am using OAuth 2.0 auth code grant(with a user login) to get the access token. And I can get the correct response with endpoint /.auth/me. I have tried both Member or Guest users in my tenant.
You can try to access https://azure_function_name.azurewebsites.net/.auth/me directly. You will get the response after logging in.
The reply url should be https://azure_function_name.azurewebsites.net/.auth/login/aad/callback
Using the client_credentials flow in Azure AD, I am unable to retrieve an id_token for my app.
I am experimenting with the Azure AD OAuth/OpenID endpoints, and running into some questions.
I create a simple app with minimal config through the Graph API (a beta endpoint, but still). I have removed all the headers and anonymised in code snippets below:
curl -X POST \
https://graph.microsoft.com/beta/applications \
-d '{
"displayName": "App Name",
"passwordCredentials": [
{
"endDateTime": "2299-12-30T23:00:00Z",
"startDateTime": "2019-02-14T20:19:14.686691Z",
"secretText": "<SOME KEY>",
"displayName": "Client Secret"
}
]
}'
In the response from Azure AD, I get an appId:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications/$entity",
"id": "<SOME GUID>",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "<SOME GUID>",
...
This is enough for me to be able to retrieve an access_token from the v1 OAuth endpoint:
curl -X POST \
https://login.microsoftonline.com/tenant_id/oauth2/token \
-d 'client_id=appId&client_secret=secretText&grant_type=client_credentials'
Response:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1550220412",
"not_before": "1550216512",
"resource": "00000002-0000-0000-c000-000000000000",
"access_token": "<JWT access token>"
}
Since I didn't specify a resource in my call, I get the default Graph API resource.
Now, what I also would like to get is an id_token for my app. I have been able to get these tokens from other OpenID providers. However, the OpenID Connect Core spec. gives me reason to think that id_tokens are for end users only, not apps:
"The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims"
(From https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
Adding resource=openid to the POST to the token endpoint above won't work, since openid is a scope, not a resource.
Switching to the v2 endpoints, I get access to a scope parameter. I can obtain an access token from there by setting scope=https://graph.microsoft.com/.default, explicitly requesting the access I got by default through the v1 endpoint.
However, setting the scope to for instance scope=https://graph.microsoft.com/.default openid does not give me an id_token for my app, and the access token looks identical to the previous call.
Trying just scope=openid gives me the following error from Azure AD:
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid is not valid.
All this combined leads me to believe that the OpenID providers I have used and have issued id_tokens through the client_credentials flow are breaking the spec, and that id_tokens can only be obtained for end users (using the authorization_code flow gives me an id_token from Azure AD for myself without any issues).
Is this a correct conclusion, or can I force Azure AD to issue id_tokens to apps as well as end users?
An id_token is issued when a user signs-in. Client credentail flows have no user, so no id_token is issued.
you'd need to use a flow like authorization code grant or openID connect to sign a user in. The response will have a id_token.
You cannot use the client credentials flow to get the id_token for app-only, it only returns the access_token.