I've been trying to use the Bing Ads API, but can't even make it past the first step. I've followed these steps to the letter, but am getting stuck at the part where I need to ask for user consent.
I've created an app, and copied all the details down. I've created a URL that looks like this:
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fads.microsoft.com%2Fmsads.manage
&state=1234
I've also tried adding in client_secret as a param, even if it's not mentioned in the docs, and that didn't work either.
However, I keep getting back this error message:
error = invalid_client
error_description = AADSTS650052: The app is trying to access a service 'd42ffc93-c136-491d-b4fd-6f18168c68fd'(Microsoft Advertising API Service) that your organization 'xxxxxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
I've just created the Azure account for the first time (and this is my first experience with Azure, usually I work with GCP or rarely AWS), and I'm the only account that's created anything.
This error message is coming back as parameters appended to the redirect URL, I don't even make it to the Microsoft login page. (http://localhost:8080/?error=invalid_client&error_description=AADSTS650052%3a+The+app+is+trying+to+access+a+service+%27d42ffc93-c136-491d-b4fd-6f18168c68fd%27(Microsoft+Advertising+API+Service)+that+your+organization+%27xxxxxxx7+lacks+a+service+principal+for.+Contact+your+IT+Admin+to+review+the+configuration+of+your+service+subscriptions+or+consent+to+the+application+in+order+to+create+the+required+service+principal.%0d%0aTrace+ID%3a+387accd1-d7a4-4ec2-b739-6cba07e23702%0d%0aCorrelation+ID%3a+a7def78f-5c49-4ede-b7d4-fc65d5ac75bc%0d%0aTimestamp%3a+2022-11-10+16%3a15%3a03Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d650052&state=1234#)
The weird thing is I've done the same exact thing above for a client at the same time, and with them I managed to get to the consent page.
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and granted API permissions like below:
To get authorization code, I executed same request as you in the browser and got same error as below in address bar:
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http://localhost:8080
&response_mode=query
&scope=openid offline_access https://ads.microsoft.com/msads.manage
&state=1234
Response:
To confirm whether it's the same error or not, I copied it in Notepad and checked the full error like below:
To resolve the error, you need to add msads.manage permission of Microsoft Advertising API Service.
Note that, you need to have Microsoft Advertising account to use Bing Ads API. If not, sign up for it in this Microsoft Advertising website with your Azure AD account like below:
After completing the sign-up, you can find Microsoft Advertising API Service here:
Now, you can add msads.manage permission to your application like below:
Now when I ran the authorization request again in browser, I got consent screen successfully like below:
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http://localhost:8080
&response_mode=query
&scope=openid offline_access https://ads.microsoft.com/msads.manage
&state=1234
Response:
After accepting the consent, I got authorization code in the address bar like below:
Using the above code, you can generate access tokens for your application.
Related
So I am writing a .NET 6 Core Web Api using Azure AD as authentication for the API.
Now when using Graph API as example, you need to setup Graph API scopes in the App Registration. Lets use a delegated "user.read" permission for this example.
I use Postman to receive the access token for the application by authenticating as an user against Azure AD for the API. I would expect to receive a consent-screen so I can consent to the usage of "user.read". This does not happen though.. I get logged in and receive a valid access token. In the Backend though, it will throw an error because the user / admin did not consent to the application.
How do I get around this? Why don't I get asked to consent the permissions set up in the app registration? Neither in Postman, nor in a Swagger oAuth Flow..
My current workaround for this is to use a React application and sign in over the frontend application. Using the frontend application, I get asked to consent to the permissions. After consenting, I can use postman without getting the "user didn't consent" - error.
Any ideas? What did I miss?
Let's focus on the user-consent page first. When we created an azure ad app then add api permission for it, then use this azure ad app to make your .net 6 app/react app integrate azure ad to use azure authentication, and we go to the microsoft sign in page and successfully sign in, we will see a dialog which indicating that this app require you to consent a list of permissions. The permissions are correspond to the api permissions you set for the aad app. After consent once, then it won't ask you to consent again when sign in next time.
This consent only happened when users are signed in. Let's go back to the flows used to generate access token in Azure AD. Since you used delegate permission, then you may used the recommend Auth code flow(Another flow called ROPC flow can also generate delegate access token but not recommended). When we used auth code flow, we need to sign in first, the login url should look like this:
https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=azure_ad_app_id
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=user.read
&state=12345
We need to use it to get the auth code, then we can use the code to generate access token, per my test, I created a new azure ad app and when I directly hit this url in the browser and sign in, it still required me to give the consent. So I'm afraid the reason why you didn't see the dialog when test in post man is that you've consent it when test in react app, or you don't use auth code flow.
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
I am following instructions provided by Microsoft to set up Postman for testing an Azure AD B2C secured Wep API:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications#register-a-web-application
Under the section Use Postman to get a token and test the API, I get to Step 4 where the documentation states:
Postman opens a new window containing the Azure AD B2C tenant's
sign-in dialog. Sign in with an existing account (if one was created
testing the policies) or select Sign up now to create a new account.
The Forgot your password? link is used to reset a forgotten password.
This does not happen.
I am using the Implicit Grant Type and my Auth URL appears as follows:
https://<myDomain>.b2clogin.com/<myDomain>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SIGNUP_SIGNIN&client_id=d4d84f32-1e57-4daf-b010-399bb2614e0d&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Scope is set to the following value:
https://<myDomain>.onmicrosoft.com/postman/user_impersonation openid offline_access
When I press the Postman Request Token button, the SignIn / SignUp User Flow (Policy) is interrupted with the following Error dialog stating:
Sorry, but we're having trouble signing you in. We track these errors
automatically, but if the problem persists feel free to contact us. In
the meantime, please try again.
Correlation ID: c1b01e2d-84ce-446e-a9c2-f3a8617eb9f2
Timestamp: 2019-11-21 20:03:31Z
AADB2C90018: The client id 'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d' specified in the request is not registered in tenant '<myDomain>.onmicrosoft.com'.
Taking this client ID is not registered error on face value, the problem would appear related to improper registration of the Application (Client) within Azure AD B2C.
However, I am able to successfully run this SignIn / SignUp User Flow from within Azure AD B2C; and to successfully register new Users using that Policy.
To be clear, my ASP.Net Core Web API is not being run at this stage. I am simply trying to configure Postman to request a New Access Token from Azure AD B2C.
I have tested the document you provided and it works fine for me.
Based on your error message, it seems that you put your client id twice in the Client ID.
AADB2C90018: The client id
'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d'
specified in the request is not registered in tenant
'.onmicrosoft.com'.
Please check it.
I'm trying to build an O365 service status portal for users in my company. Only admins can see the admin portal status page, but we want to provide that info to our users/display on a dashboard.
I've registered the app in Azure, and given it the correct permissions according to the documentation. I can request an auth code and I'm able to use it to retrieve a JWT, but when the token is returned to me, I'm only seeing User.Read in the scope, meaning I'm unable to use it for any of the functions in the ServiceComms API.
Here's the snip of code being used to retrieve the token:
url = 'https://login.microsoftonline.com/<tenantid>/oauth2/token'
r = requests.post(url, dict(resource='<appid>',
client_id='<clientid>',
redirect_uri='http://x.x.x.x/365/auth/index.htm',
client_secret='<itsasecret>',
grant_type='authorization_code',
code=auth_code))
Here's the first part of what's returned:
{"token_type":"Bearer","scope":"User.Read","expires_in":"3600","ext_expires_in":"0","expires_on":"1525266602","not_before":"1525262702",
The account being used to retrieve the auth code initially is a global admin on the tenant, so would expect that this would be fine, but I'm new to this, so probably wrong.
Does anyone have any ideas?
Thanks.
I'm assuming that you've set the appropriate permissions on your app registration in the Azure portal, and your question is why they don't show up in the token.
I've seen this behavior before with the Azure v1 endpoint if the user you login with had previously consented to the User.Read permission, then you updated the required permissions in the portal. While it's logical to assume that Azure would detect this change and re-prompt, it doesn't. It keeps returning tokens based on the previously recorded consent and doesn't pick up the new ones.
To handle this, your app must include the prompt=consent query parameter on the URL during the authorization phase. That should force consent when the user logs in and pick up the new permissions.
I have an Azure mobile service setup and have followed the examples online for authenticating. I call AuthenticationContext.AcquireToken and get back a token. Then I set the header using:
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AquireAccessToken());
However I am getting a 401 back and in the Azure logs I am getting "The 'Bearer' HTTP authentication scheme is not supported". What am I missing?
If you are using a service to call the mobile service why not use the Application key instead of a login process?
You can set a header on your request like so:
HttpClient.DefaultRequestHeaders.Add("X-ZUMO-APPLICATION", "<YOUR APP KEY>";
You can get your application key from the portal. When you are on the dashboard view click the button at the bottom of the window to "manage keys".
This works if you want to login as the service, but if you need to login on behalf of a user, then you'll need to go the authentication route. You'll also need to make sure the permissions on your various tables and APIs allow the application key level of access.
Alternately, you can use the X-ZUMO-MASTER header with your master key to get admin rights to the service.
Mobile Services does not support tokens being passed in the Authorization header. Instead, please consider using the POST method for the login endpoint. The Mobile Services SDK makes this available as an overload of the login method if desired.
Could you please comment on what examples you are following? Our standard "Get Started with Authentication" tutorial shows how to do login without handling an access token directly. We also have tutorials for using a provider SDK to obtain a token and pass it to the mobile service using the overloads mentioned above. For example, we have this tutorial for Microsoft Account and Azure Active Directory