Azure APIM oAuth workflow - refresh token is missing - azure

I enabled oAuth in Azure API management. Then using ClientId, Client Secret, Scope, Access Token URL & Grant Type, I was able to get the access token. How can I get the refresh token from the API ?

To get refresh token from the API, you need to add offline_access permission in the scope.
Please note that, Client credentials flow works with permissions of Application type only. So, you won't get refresh token using this flow as offline_access permission is of Delegated type.
Instead, you can make use of Authorization Code flow as Grant Type.
I tried to reproduce the same in my environment via Postman and got below results:
In my Azure AD application, I added API permissions like below:
To get refresh token, change the grant type to Authorization Code and include offline_access in the scope like below:
When you selected Get New Access Token, one new window will open where you have to login with your credentials as below:
After successful authentication, you will get both access token and refresh token like below:
You don't have to make two separate calls like one to get access token and another one to get refresh token.
Instead, you can directly add offline_access in the scope along with custom Api scope.

Related

Azure B2C token scope permission issue

When I try to get a token with a scope inside it then I get a This application does not have sufficient permissions against this web resource to perform the operation error.
Failing call:
https://xx.b2clogin.com/xx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=xx-xx&redirect_uri=https://localhost:7223/&scope=https://xx.onmicrosoft.com/xx-xx/Some.Scope&response_type=token
I can call it with the openid scope but then there are no scopes in the token. As I understand you need to set the response_type=token and scope to the actual scope of your api.
Working call but no scopes
https://xx.b2clogin.com/xx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=xx-xx&redirect_uri=https://localhost:7223/&scope=openid&response_type=id_token
I've alreay added the API to the permissions of the client and granted admin consent so that can't be the issue.
What am I doing wrong here? Or is it maybe not possible to use scopes with a B2C token?
I have tried in my environment, and I got the token successfully.
To resolve the error, please check the below steps:
In my case, I added a scope named “newscope” and then granted API permissions like below:
Go to Azure portal -> Azure AD B2C -> App registrations ->Your application -> Expose an API -> Add Scope
To get token, try with below URL:
https://xxxxx.b2clogin.com/xxxxx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=your_app_id&nonce=defaultnonce&redirect_uri=https://jwt.io&scope=openid profile offline_access&response_type=token&prompt=login
With the above authorization URL, I got the token like below that displayed the scopes successfully after decoding.
Please make sure to add additional scope like profile, offline_access along with open_id.
Here I have given response_type=token instead of id_token
In Authentication blade, make sure to check mark both access token and id token.
If still something goes wrong, try with lower case scopes.

How to generate access token for Dataverse APIs

I have a requirement to fetch the details from the Dataverse tables using the REST APIs and to do the same I need to generate the access token to send the valid Authorization header. I have gone through the Use OAuth authentication with Microsoft Dataverse and Register an app with Azure Active Directory and followed the steps. Now to generate the access token I am using the POST method with https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token endpoint with and passing the grant_type as client_credentials, resource as https://management.core.windows.net/ along with client id and client secret with content type as application/x-www-form-urlencoded. But I am getting AADSTS901002: The 'resource' request parameter is not supported.
EDIT
In the API Permission tab I have added the delegated permission.
In the Authentication tab, I haven't selected any type for flow, Do I need to change here?
Also please note that In the Token Configuration tab no claims or group has been added yet and Expose API tab no scope and authorized client application is added. Please let me know if I need to do any changes here.
UPDATE
When I do not pass the resource param and send the scope with https://{orgId}.crm5.dyanamics.com/.default along with client_id, client_secret and grant_type I am able to get the access token, but when I use this token to fetch the data using https://{orgId}.crm5.dyanamics.com/api/data/v9.0/accounts I am getting The user is not a member of the organization
The error AADSTS901002: The 'resource' request parameter is not supported indicates that the resource provided in the request is not correct.
As you are trying to generate access token for Dataverse API, the resource should be below:
https://admin.services.crm.dynamics.com/

How to access token through Powershell or Postman by User ID rather than Client ID

Is there a way either in powershell or Postman to get access of myself either through login to particular tenant. I see lot of samples around getting access token either client ID or secret. But I want to run either commands or make REST call to get access token once myself get authenticated.I tried looking into graph explorer but no luck .
The client id is required for AAD authorization.
If you want to get an access token including your own information, you should implement OAuth 2.0 authorization code flow. It will perform interactive login as #Gaurav Mantri-AIS mentioned.
We can simply get the access token in Postman like this:
After clicking on "Request Token", it will pop up a login window. Enter your username and password. Then you will get the access token.
When we log into Graph explorer, we will see the access token here:
In fact, Microsoft has registered an Azure AD application and provided the client id in the login request URL.
In short, we have to use the client id.

With client credential flow, access token getting generated without delegate access from any app within same tenant

I am setting a background process which will communicate with API secured by Azure AD. Without giving delegate access to API, Client App is able to generate access token
Using client credential flow, Is it possible to generate access token for web api without giving delegate permission. I am able to generate it but according to it should not happen. Any app created in my tenant is able to generate the token for web api without delegate permission.
I have followed below sample on github.
https://github.com/Azure-Samples/active-directory-dotnet-daemon
It should not be able to generate access token, if no delegate access is provided.
This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.
Update:
If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.

Why is an Azure permission missing from the scopes of my JWT token?

I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
I log the user in while asking him to consent to some permissions (for both API's and on first login only)
I request a token in the background for the Graph API scopes
I request a second token for the Azure Management API scopes

Resources