I'm new to React Native and I'm trying to implement Microsoft authentication through this library but something is not working.
This is a very tiny library with an apparently super easy implementation.
These are my credentials:
const credentials = {
authority: `https://login.microsoftonline.com/${AuthConfig.tenantId}`,
client_id: AuthConfig.appId,
client_secret: AuthConfig.secret,
redirect_uri: "http://localhost:8081/",
scope: AuthConfig.appScopes,
};
So, with the returnURI set to be http://localhost:8081, the app redirects correctly after successful auth, and both token + user data are returned, which makes me think that at least my credentials are correct.
However, if I set the returnURI to "com.msgraph://oauth/redirect/", Azure returns this:
{"error": {"code": "InvalidAuthenticationToken", "innerError": {"client-request-id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX", "date": "2022-10-14T07:27:30", "request-id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX"}, "message": "CompactToken parsing failed with error code: 80049217"}}
and an error message saying
Error: Could not open URL 'com.msgraph://oauth/redirect/?code=0.ATkAbbMV87Ls8UuRKyUe8...... etc
I also tried redirecting to "msauth://com.msgraph/<signature HASH>", same result though.
This is how I have configured the URI on the Azure Portal:
Any ideas on what I'm doing wrong? Thanks!!
Related
While using SSO to sign on Azure using MSAL with Angular, I get redirected this URL: https://login.microsoftonline.com/common//discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/{tenant}/{organization}.onmicrosoft.com/{policyName}/oauth2/v2.0/authorize endpoint.
... and the response is - 400 bad request error or an invalid_request (in the xhr)
A curl comes back with this error:
"error":"invalid_request","error_description":"AADSTS50050: The request is malformed: invalid format for 'authorization_endpoint'
Why would this happen for new users?
update:
MsalModule.forRoot(
{
auth: {
...
validateAuthority: false,
...
},
...
setting validateAuthority: false resolved this issue for now.
However, setting validateAuthority should not cause problems - this is just a workaround.
If you are using Azure AD, try to change your authorization_endpoint to
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Policy name is always used for Azure AD B2C, format like: https://{your-B2C-tenant-name}.b2clogin.com/{organization}.onmicrosoft.com/{policyName}/oauth2/v2.0/authorize.
I'm trying to create a subscription to email receipt using Microsoft Graph API.
My setup
I tried using the node API, following the tutorial on their Github
I also tried by hand, using postman to send a post request and manually getting the token, then setting up a server for the challenge.
The error
For both, I receive the following error:
Error: Operation: Create; Exception: [Status Code: NotFound; Reason: The requested user '85601dde-359a-4eae-a91e-a0f18a645ba4#9118c136-2fff-45b0-9695-dac64c966630' is invalid.]
Incomprehension
I don't really understand is "85601dde-359a-4eae-a91e-a0f18a645ba4#9118c136-2fff-45b0-9695-dac64c966630" because I saw in other posts that people have their email address in this error. I can find this ids in the JWT token so I guess that's where it comes from but I don't know if it's normal.
I also found that the issue might be that I have a "on premises mail" and not an "Office 365 mail" but I was confirmed that I have a Office 365 mail.
Details
My authorizations are:
Mail.Read (of type application)
User.Read (of type delegated)
And here is my payload:
{
"changeType": "created",
"clientState": "SecretClientState",
"notificationUrl": "https://e0a2d0f478cf.ngrok.io",
"resource": "me/mailFolders('Inbox')/messages",
"expirationDateTime": "2020-11-28T04:30:28.2257768+00:00"
}
Complete error response
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: NotFound; Reason: The requested user '85601dde-359a-4eae-a91e-a0f18a645ba4#9118c136-2fff-45b0-9695-dac64c966630' is invalid.]",
"innerError": {
"date": "2020-11-27T12:24:08",
"request-id": "227dd9a1-858f-4286-b1b3-a22d2d0d8529",
"client-request-id": "227dd9a1-858f-4286-b1b3-a22d2d0d8529"
}
}
}
Looks like you are using Client Credential flow and getting the token and then making a POST request. So try modifying resource as
users/{userid}/mailFolders('Inbox')/messages
If you want to use me/mailFolders('Inbox')/messages use delegated permission(Mail.read) and get the user token.
I've implemented msal library in my angular application using Implicit Flow. I can login using microsoft ad account and I have the token needed for authentication requests for api usage.
When I decode token using https://jwt.ms/ I can see that aud key has value of my client app id, how should look like the url for userinfo?
If I will use these endpoints which are described in docs I had error with invalid token:
https://graph.microsoft.com/oidc/userinfo or
https://graph.microsoft.com/v1.0/me/
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"request-id": "8177b64f-c899-48c3-aceb-xxxxxxxxx",
"date": "2020-03-18T07:41:04"
}
}
}
I've forgot to put my module config.
...
MsalModule.forRoot({
auth: {
clientId: environment.CLIENT_ID,
redirectUri: environment.REDIRECT_URI,
postLogoutRedirectUri: environment.POST_LOGOUT_REDIRECT_URI,
authority: environment.AUTHORITY,
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true,
}
},
{
popUp: false,
consentScopes: [
'user.read',
'openid',
'profile',
],
unprotectedResources: [],
protectedResourceMap: [
['https://graph.microsoft.com/v1.0/me', ['user.read']]
]
})
...
where:
authority url: Authority: 'https://login.microsoftonline.com/xxxxtenant_idxxxx'
client id: App registration client id
If you want to call Microsoft Graph API, you need get the access token with the correct(Microsoft graph api) audience.
When you acquire the access token, you should use https://graph.microsoft.com/User.Read or just User.Read as the scope. You can check the values in app.module.ts
Also, remember to add the User.Read permission for your application on Azure portal. App registrations->your application->API permissions->Add a permission->Choose Microsoft Graph API->Delegated permission->Check the permissions you need.
Update:
Reference:
MSAL Angular to login, logout, protect a route, and acquire an access token for Microsoft Graph.
Solved. The problem is in specified endpoint. When I make request for graph from angular the app interceptor handle this endpoint and use scope (user.read) for graph, and then the correct token will be assigned.
Before I was trying to copy token after authorization and pasting it into postman. So yep, the token was not valid in all.. Thank's for your help.
I keep getting a AuthenticationFailed error with a InvalidAuthenticationTokenAudience inner error when attempting to query the /environments endpoint.
I have already created an app in the Azure Active Directory, given it access in the time series insights management portal and I can already get an Oauth 2.0 Access token from the auth URL.
I have tried giving the token url the 'https://api.timeseries.azure.com/' resource/audience/scope but the API keeps returning the same error message:
{
"error": {
"code": "AuthenticationFailed",
"message": "Server failed to authenticate the request. The token has been obtained from wrong audience or resource.",
"innerError": {
"code": "InvalidAuthenticationTokenAudience",
"message": "The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should
exactly match (including forward slash) with one of the allowed
audiences 'https://api.timeseries.azure.com/'."
}
} }
I'm using Postman with the Oauth 2.0 authentication type, the client credentials Grant Type and send as basic Auth Header option for the token request.
Has anyone tried this with success?
Update 01:
The decoded (using JWT as suggested in comments) payload portion of one of the tokens shows the that the aud field is 00000002-0000-0000-c000-000000000000. Which is definitely wrong.
Based on the exception, it indicates that the resource is not matching https://api.timeseries.azure.com/ when acquire the access token.
So please make sure that the resource is https://api.timeseries.azure.com/, for more information please refer to the screenshot.
Get access token
I test Get environments API, it works correctly for me.
GET https://api.timeseries.azure.com/environments?api-version=2016-12-12
Newbie trying to figure out how to get a Node.js application to authenticate and query Google BigQuery, trying to adapt this CodeLab tutorial from Java. What step might i be missing?
First I create this Oauth2 URL using my clientid:
https://accounts.google.com/o/oauth2/auth?
client_id=1047877053699-den6kbs4v3f2bft6clonsirkj1pc7t6j.apps.googleusercontent.com
&scope=https://www.googleapis.com/auth/bigquery
&redirect_uri=http://localhost:3000/oauth2callback
&access_type=offline
&response_type=code
This successfully reaches Google, which prompts
A third party service is requesting permission to access your Google Account.
Agreeing that generates a second prompt:
Nodejs_Test is requesting permission to:
View and manage your data in Google BigQuery
Agreeing to that, the callback URL is called, with a parameter accessToken.
I think the following url should list tables in my BigQuery project/dataset:
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits&accessToken=4%2FC196NizZwlNgWSt5oNqQwendmLNW.0vgUrlGJ6kMRshQV0ieZDApig3NfcgI
But calling with or without the accessToken returns the following message that "Login Required".
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
I know you can't repeat the code because of permissions, expired tokens, etc. But I wonder what step I might be missing conceptually.
Have you tried sending the accesstoken as an authorization header rather than as a url parameter?
as in
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits
Authorization: OAuth Your-access-token-here-not-urlencoded
FYI - looks like you originally used the parameter accessToken in the URL. It should instead by access_token, which looks like it works fine. Of course, Jordan's suggestion of using a Header is better if you're able to do it though-- it's more secure as it's unlikely to get logged in access logs, proxy server logs, etc.