Today, I have an issue getting an Azure AD access token from Postman. This is while it was working before for the same app and other apps I am working on. But none of them are working today.
I was working correctly, but now it shows me this error:
Error: AADSTS900144: The request body must contain the following parameter: 'client_id'
I use https://login.microsoftonline.com/common/oauth2/v2.0/authorize as auth URL, and https://login.microsoftonline.com/common/v2.0/token for Access token URL.
I have tried these for access token URL but none of them worked. https://login.microsoftonline.com/{{tenant_id}}/v2.0/token
https://login.microsoftonline.com/common/token
https://login.microsoftonline.com/{tenant_id}/token
here is my Azure AD oauth 2.0 configuration. Also, as you see, there is no client_id in the request body.
I tried to reproduce the same in my environment and got below results
You can get values of auth URL and access token URL from your Azure AD application that varies based on supported account type like below:
Go to Azure Portal -> Azure Active Directory -> App registrations -> Your App -> Overview -> Endpoints
Now I added environment variables in Postman by defining them like below:
Make sure to select the correct Environment while requesting for token with variables.
I filled the required details same as you to get the access token like below:
When I selected Get New Access Token, I got the token successfully as below:
The error usually occurs if you missed including client_id while
acquiring access token.
I changed client_id parameter to blank in variables like below:
When I tried to get access token again, I got same error as you like below:
To resolve the error, make sure to pass client_id value in right environment and save it.
I found out why it's acting like this:
I checked my friend's PC, and it was working there!
The issue was the last update of Postman. They have changed something in authorization.
just change the Client Authentication to Send client credentials in body and it will work.
Related
I am trying to grant access to IoT Hub based on Azure AD. But when I try to get token, it is throwing this error in Postman
####### Update ######
I have already created the Application in Azure AD
The resource field should be the static ID of all IoT Hub service principals. Try this instead of the hostname:
89d10474-74af-4874-99a7-c23c2f643083
Here is another approach:
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD application like below:
To generate token via Postman, I used the below parameters:
POST https://login.microsoftonline.com/TenantID/oauth2/token
client_id:14ad98e6-8b3d-4774-a2ad-XXXXX
client_secret:XXXXXX
resource:https://iothubs.azure.net
grant_type:client_credentials
Response:
When I decoded the above token, I can see the aud as https://iothubs.azure.net like below:
The 400 Bad request error usually occurs if you have passed any invalid URL while generating the token. Make sure to pass the valid parameters.
Try sending the request again in Postman and check if the access token is generated or not.
Alternatively, you can also replace the resource by 89d10474-74af-4874-99a7-c23c2f643083 as suggested by Matthijs van der Veer like below:
Decoded token Response:
I have been following this tutorial on how to create a SharePoint webhook subscription, and after authenticating and getting the access token, actually trying to send the request to add a webhook subscription to a SharePoint list through Postman gives me an "Access is denied HRESULT: 0x80070005" error:
Error message
Going into the Postman console to see a more verbose error message shows "917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically."
I have tried all of the following:
Gone into SharePoint to enable Sites.Manage.All permissions for my Azure AD App
Reauthorized with several accounts with various access levels
Verified that ngrok, my webhook receiver, and Azure AD App were all running and all connection strings/client ids/secrets were valid.
Could it be that I'm missing something else in regards to SharePoint permissions for my Azure AD App, or is it another issue?
I tried to reproduce in my environment its working fine getting the access token added webhook subscription to a SharePoint list through Postman
First, Check whether you are added content-type and accept in header
This error may cause because of some security issue postman is not authenticated and not authorized to get data from the SharePoint. For this try to register an app using your URL modify at end /_layouts/15/appregnew.aspx
For sample:
https://imu.sharepoint.com/sites/mirror/_layouts/15/appregnew.aspx
Hope you have access, try to register your app as below:
Here, you need to give permission to that particular app such as Full control permission as below snip link :
In App's permission request XML apply permission as below:
And, Click Create and pop up will display trust it. click trust it site setting tab will display if you click that site collection app permission your postman right side will display client id#tenant id
To get the access token click launchpad -> create request ->https://accounts.accesscontrol.windows.net/Tenant ID()/tokens/OAuth/2/
Try to add values in Body tab like
grant_type - client_credentials
Client_id - ClientID#TenantID
Client_secret - Clientsecret
resource - resource/siteDomain#TenantID
Make sure in your Url remove parenthesis in your TenanID and site domain is in your Url like ***.sharepoint.com
Finally, i have added Authorization in header and in value Bearer access token make sure to remember space between bearer and Your access token, I am getting result successfully without any Access Denied error.
For your Reference :
OfficeDev/TrainingContent
Revisit these things
App registered in AD is having AllSites.Manage permission (delegated) and admin consent granted.
While getting access token via postman, use scope as https://yourtenant.sharepoint.com/.default
headers : Content-Type = application/json, Accept = application/json;odata=verbose
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I've followed this guide to configure access to my backend app, but I use Node backend and React frontend. However I'm unable to perform the step Configure App Service to return a usable access token. I get the error "Cannot execute the request for site x because the site is running on auth version v2.". To handle this I tried instead editing the sheet authsettingsV2, and I believe I found that the property properties.identityProviders.azureActiveDirectory.login.loginParameters in v2 equals properties.additionalLoginParams in v1 as editing this v2 property according to the tutorial shows the desired property in the v1 authsettings sheet.
However accessing my frontend app with this setting I get the error AADSTS901002: The 'resource' request parameter is not supported. before even being able to enter my credentials.
I've also tried without the additionalLoginParams setting completely, this gives me the error {"code":401,"message":"IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'. \nkid: '[PII is hidden]'. \nExceptions caught:\n '[PII is hidden]'.\ntoken: '[PII is hidden]'."} on the API call, and upon inspecting my token, I find that the audience is the Microsoft Graph API. But I guess that is expected with this setup.
How can I proceed to enable access to my backend app? / How do I set the additionalLoginParams in auth version v2?
I am not sure if you have a correct access token. Please note that I am not talking about id token. Because from your response_type=code id_token, there should be only one id_token returned, but obviously the id_token cannot call your api, because what you need is an access token.
If you have not obtained a correct access token, then you should request an access token in the next step, refer to this link.
In addition, I must explain that all 401 errors are caused by api audiences. Therefore, make sure that your Application ID URI is set in the scope parameter.
When requesting an access token, you need to set the scope to: scope=openid api://{back-end api client id}/.default. Set response_type to: response_type=token.
I have some troubles trying to call an Azure Function (code) with Postman.
I have already set up the Authentication / Authorization and settings.
It's working with my browser (with login page).
But when I try to use Postman, I'm getting 401 :
"You do not have permission to view this directory or page."
I also tried to use the Postman built-in (see configuration) Oauth2 to login. I can successfully get the tokens (access and refresh). But it seems that my API request to functions are not working...
Here is the final API Call: postman screenshot
The aad tenant_id starts with 8d6, the application client_id starts with 226, and the app secret ends with Av2.
Is there anything wrong ... ? It looks like actually, Azure Functions handle only Cookies for the authentication, that's why it's working with the browser and not Postman. How can I make it works with the header Authorization / Bearer ?
Thanks for your help !
The way you got the access token is not correct. Just like #Marc said, in your Postman you are not specifying a resource or scope. The postman get new access token tool only has the scope parameter, so you should use the v2.0 endpoint to get the access token.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Scope:
{clientId}/.default