I am trying to grant access to IoT Hub based on Azure AD. But when I try to get token, it is throwing this error in Postman
####### Update ######
I have already created the Application in Azure AD
The resource field should be the static ID of all IoT Hub service principals. Try this instead of the hostname:
89d10474-74af-4874-99a7-c23c2f643083
Here is another approach:
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD application like below:
To generate token via Postman, I used the below parameters:
POST https://login.microsoftonline.com/TenantID/oauth2/token
client_id:14ad98e6-8b3d-4774-a2ad-XXXXX
client_secret:XXXXXX
resource:https://iothubs.azure.net
grant_type:client_credentials
Response:
When I decoded the above token, I can see the aud as https://iothubs.azure.net like below:
The 400 Bad request error usually occurs if you have passed any invalid URL while generating the token. Make sure to pass the valid parameters.
Try sending the request again in Postman and check if the access token is generated or not.
Alternatively, you can also replace the resource by 89d10474-74af-4874-99a7-c23c2f643083 as suggested by Matthijs van der Veer like below:
Decoded token Response:
Related
Today, I have an issue getting an Azure AD access token from Postman. This is while it was working before for the same app and other apps I am working on. But none of them are working today.
I was working correctly, but now it shows me this error:
Error: AADSTS900144: The request body must contain the following parameter: 'client_id'
I use https://login.microsoftonline.com/common/oauth2/v2.0/authorize as auth URL, and https://login.microsoftonline.com/common/v2.0/token for Access token URL.
I have tried these for access token URL but none of them worked. https://login.microsoftonline.com/{{tenant_id}}/v2.0/token
https://login.microsoftonline.com/common/token
https://login.microsoftonline.com/{tenant_id}/token
here is my Azure AD oauth 2.0 configuration. Also, as you see, there is no client_id in the request body.
I tried to reproduce the same in my environment and got below results
You can get values of auth URL and access token URL from your Azure AD application that varies based on supported account type like below:
Go to Azure Portal -> Azure Active Directory -> App registrations -> Your App -> Overview -> Endpoints
Now I added environment variables in Postman by defining them like below:
Make sure to select the correct Environment while requesting for token with variables.
I filled the required details same as you to get the access token like below:
When I selected Get New Access Token, I got the token successfully as below:
The error usually occurs if you missed including client_id while
acquiring access token.
I changed client_id parameter to blank in variables like below:
When I tried to get access token again, I got same error as you like below:
To resolve the error, make sure to pass client_id value in right environment and save it.
I found out why it's acting like this:
I checked my friend's PC, and it was working there!
The issue was the last update of Postman. They have changed something in authorization.
just change the Client Authentication to Send client credentials in body and it will work.
Using this article
Trying to retrieve Okta token using postman but getting
"Invalid value for 'client_id' parameter."
I know the client_id is correct because it successfully works when I manually test my Azure function in Azure.
Plus, I can manually generate a token in Okta and then put that in the function call with client_id and client_secret in Postman and that works fine.
I'm using a Post http method.
I tried to reproduce the same in my environment and got the same error like below:
The error "Invalid value for 'client_id' parameter" usually occurs if you are passing invalid Client_ID value.
Make sure you are passing the values from the Okta Portal like below:
When I passed the correct values, I am able to generate the access token successfully using the below Parameters:
https://XXXX.okta.com/oauth2/default/v1/token
client_id:ClientId
client_secret:ClientSecret
grant_type:client_credentials
scope:scope
I created an Azure HTTP Trigger1, and selected the HTTP methods like below:
I am able to call the Azure Function Trigger successfully like below:
https://xxx.azurewebsites.net/api/HttpTrigger1
token:token
client_id:ClientID
client_secret:****
I am trying to list the Queues/Topics in an Azure Service Bus using the REST API.
When I try to connect I just get back a blank feed saying "This is the list of publicly-listed services currently available".
I am using the RootManageSharedAccessKey in the portal (for dev only, I can create a more restricted key later) so it should have all the access rights that I need, I just can't seem to get it to return anything. This documentation seems to suggest that this will work, but there's no actual working examples, just theoretical responses.
I have tried doing a GET request with the signature in the URL like this:
https://myservicebusnamespace.servicebus.windows.net/$Resources/Queues;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=MYSHAREDACCESSKEY
I have also tried doing it like this:
https://myservicebusnamespace.servicebus.windows.net/$Resources
and then setting the Authorization header to
WRAP access_token="MYSHAREDACCESSKEY="
Both times I just get this back
<feed xmlns="http://www.w3.org/2005/Atom">
<title type="text">Publicly Listed Services</title>
<subtitle type="text">This is the list of publicly-listed services currently available.</subtitle>
<id>uuid:6a5d438d-1793-451b-be41-XXXXXXXXXXXX;id=XXXXXX</id>
<updated>2020-06-28T13:03:04Z</updated>
<generator>Service Bus 1.1</generator>
</feed>
If I change the url slightly to be:
https://myservicebusnamespace.servicebus.windows.net/$Resources/Queues/
I get a slightly different response back of:
<Error>
<Code>401</Code>
<Detail>claim is empty. TrackingId:c40a2bd2-490d-4b5b-adde-33bc89aa84ff_G36, SystemTracker:myservicebusnamespace.servicebus.windows.net:$Resources/Queues, Timestamp:2020-06-28T13:27:40</Detail>
</Error>
Which seems to suggest that I am not authorised, or I am missing something. If I add an acutual queue name to the end of that url, it goes back to the original response.
I believe there is another way to get this information by using subscription ids and pem keys... using the management urls (https://management.core.windows.net/{subscription ID}/services/ServiceBus/Namespaces/{Namespace}/Topics/)
but this should all be possible using the format above, I just can't figure out the exact format required.
EDIT/UPDATE: If I don't include my auth claim, the result is exactly the same, suggesting that it's not seeing my auth claim or it's invalid. However if I include it, and just make it the token, without the WRAP bit at the start, I get an exception saying
<Error>
<Code>401</Code>
<Detail>MalformedToken: Invalid authorization header: The request is missing WRAP authorization credentials. TrackingId:7be2d7f0-c165-4658-8bf1-ea104c43defc_G28, SystemTracker:NoSystemTracker, Timestamp:2020-06-28T13:33:09</Detail>
</Error>
So it's like it's reading it then ignoring it?
If you want to list queues or topics we can use Azure service bus service rest api or Azure Resource Manager Rest API. For more details, please refer to the following steps
Azure service bus service rest api
Generate SAS token. For more details, please refer to the document
For example, I use python to create sas token
import hmac
import time
import hashlib
import base64
import urllib
sb_name='bowmantest'
// your entity path such as $Resources/topics (list topics) $Resources/queues(list queues)
topic='$Resources/topics'
url=urllib.parse.quote_plus("https://{}.servicebus.windows.net/{}".format(sb_name,topic))
sas_value='' // your share access key
sas_name='RootManageSharedAccessKey' // your share access rule name
expiry = str(int(time.time() + 10000))
to_sign =(url + '\n' + expiry).encode('utf-8')
sas = sas_value.encode('utf-8')
signed_hmac_sha256 = hmac.HMAC(sas, to_sign, hashlib.sha256)
signature = urllib.parse.quote(base64.b64encode(signed_hmac_sha256.digest()))
auth_format = 'SharedAccessSignature sig={0}&se={1}&skn={2}&sr={3}'
auth=auth_format.format(signature,expiry,sas_name,url)
print(auth)
Call the rest API
1). list Queues
GET https://<namespace name>.servicebus.windows.net/$Resources/queues
Authorization <sas token>
2). List topics
GET https://<namespace name>.servicebus.windows.net/$Resources/topics
Authorization <sas token>
Azure Resource Manager Rest API
create a service principal and assign Azure RABC role to the sp(I use Azure CLI)
az login
#it will create a service principal and assign contributor role to the sp
az ad sp create-for-rbac -n "jonsp2"
Get Azure AD token
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<app id>
&scope=https://management.azure.com/.default
&client_secret=<app password>
&grant_type=client_credentials
call the rest API
List Queues
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ServiceBus/namespaces/{namespaceName}/queues?api-version=2017-04-01
Authorization Bearer <AD token>
I have an Azure Function that I have secured using Azure Active Directory (using express settings)
I generated an secret key and was able to get the other bits required (client id, tenant etc).I followed this guide to test the Client Credentials
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds .
I was able to get an access token but when I try to access the function using the Bearer Token I get error code 403 with 'You do not have permission to view this directory or page.'
How can I fix this? I want to secure my Azure function using a secret key.
Edit ----------
I want to access my Azure function http endpoint.
The requests I have used:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token/
With body:
client_id:{Application Id in Azure AD}
scope:https://{functionname}.azurewebsites.net/.default // This might be the source of the problem
client_secret:{Key Generated}
grant_type:client_credentials
This returns an access token eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Then
Get http endpoint of my AzureFunction
https://{functionName}.azurewebsites.net/api/endpoint?Params
The Header contains Authorization Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Following this guide: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/#_get-objectid-of-application-service-principal-in-user-azure-ad
I've reached the stage where I call graph.windows.net to Get the ObjectId of the service principal in user Azure AD.
When I do the call, however, I'm getting the following message:
{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}
I've already tried replacing the clientId with the 'onmicrosoft.com' address too (so graph.windows.net/appname.onmicrosoft.com/...), still got the same message.
To extend on my comment, we have seen this when the app secret contains characters that need encoding. Such as "+" and "="
If you are not using some of the client helpers available or are testing with Fiddler or Postman you will need to URL encode the secret before calling the graph api, so it looks it becomes:
"7hIkYG5m7xJQnocThxMc4yPjtbRP7bO41aNC%2bbrEzvo%3d"