Issue statement:
The session should be present in Azure b2c as the session timeout is configured as 86400 seconds(1 day) in the custom policy “error=interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.”
meaning user should be able to authenticate without prompting for interactions but it is not.
On the fiddler trace, there is no error returned
Please check with the following points:
Please check if tenant Id value is correctly given without a mistake
and check if correct scopes are given. If it is to call a web api
make sure to provide complete scope this way:
https://{tenantname or id}.onmicrosoft.com/api/read
Please check if you are trying to call microsof t graph api with
scope for it. see AADB2C90077 - Stack
Overflow which says graph api cant be accessed by b2c /local
only users ,as graph API is accessible for standard Azure AD users
or applications.
It may also be due to session expiry.So after setting the expiry
or token life time also try changing lifetimes access token ,
refresh token .Try to reauthenticate / let the user login as it
initially tries to get cached token.
Try to get a token non interactive way try silent calls with
acquireTokenSilent.
this.application
.acquireTokenSilent('https://{tenant}.onmicrosoft.com/api/read')
msal-js nteractive request-prompt-behavior
As a part of workaround try to turn on the block-third party cookies
for the browser to make sure not to block third-party cookies and
check again.Disable later if not required.
References:
prerequisites to use MS Graph API, and interact with resources in your Azure AD B2C tenant
SO reference
Related
In the Azure B2C documentation you have this information about silently acquiring new access tokens when the previous one expired.
ID tokens and access tokens both expire after a short period of time.
Your app must be prepared to refresh these tokens periodically. To
refresh either type of token, perform the same hidden iframe request
we used in an earlier example, by using the prompt=none parameter to
control Azure AD steps. To receive a new id_token value, be sure to
use response_type=id_token and scope=openid, and a nonce parameter.
Is there a way to do this without an iFrame?
You can do it with a full redirect by calling acquireTokenReditect() with MSAL. There is no other option in a javascript app. This of course is not going to be a good UX as you’d need to do it every time the api resource changes or scope changes.
I would like to upload a given file to Sharepoint. I'm using the Microsoft Graph API.
The documentation follows this workflow:
1. If no token, redirect the user to the Microsoft signin page.
2. The user is then redirected to the application, with an access token
3. Use access token to have an authorization bearer
4. Do what you gotta do...
My problem is the sign-in part. I don't want my users to be redirected to the Microsoft signin page. I want my application to connect and get the access token in the background (with cURL or whatever).
How can I do that? Why is the "open in browser" necessary?
I tried to replicate the sign-in process, but all I get back is the HTML response from the signin page.
Thanks in advance.
Your application act as a single-tenant service or daemon app.
The documentation about this scenario is here : https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
The application must be registered in the AzureAD directory corresponding to the Office365 tenant
A first request is made by passing the application unique identifier and secret key as registered in the directory. This request returns an access token
The access token can now be used in the Authorization header of the following request to the Microsoft Graph API.
This method (of using Client ID and Secret) works well but there are other ways which may be better suited for similar scenarios.
The one major thing which is missing in access token generated this way is a user, meaning the token only contains the identity of the OAuth application (client) which called it but is not associated with any user for the request.
This could have a couple of implications:
Since the token is not associated with a specific user you will not know who performed the operation. In your example, you would not know who uploaded the file (and other similar information may be missing).
Access token without users will not work at all for some methods. For those, you need a delegated token.
Creating a delegated token requires some effort, if you are interested you can find the details in my article:
Getting Access Token for Microsoft Graph Using OAuth REST API
I am relatively new to Azure Active Directory and the Graph API. My goal is to be able to write a python program which invokes the Graph APIs to create users in the Azure Active Directory. Let us assume that I have the credentials of the Global Admin for my Azure Active Directory.
I am following the documentation provided at this link. I am successfully able to create a user by using the Graph Explorer as I am using the Global Admin's credentials to login. However, I am unable to do the same via my python program (or even Postman REST client). I get an error message stating "Insufficient privileges to complete the operation." I am using the following python library to obtain an access token using the client credentials: ADAL python library
It looks like I am not following the correct procedure while obtaining the access token to make my call. I even tried obtaining the access token directly using a REST client. It would be great if someone could review the steps below to highlight any mistakes:
Step 1: Hit the following endpoint
[HTTPS]/login.microsoftonline.com/[my-organization]/oauth2/authorize?client_id=[client-id]&response_type=code&response_mode=query&resource=00000002-0000-0000-c000-000000000000
Step 2: Note down the 'code' query parameter from the above request. Then make the following request.
POST [HTTPS]/login.windows.net/[my-orgranization]/oauth2/token?api-version=1.0
HEADERS:
Content-type application/x-www-form-urlencoded
BODY:
code=[code received from Step 1]
client_id=[client id of my app in Azure]
client_secret=[client secret of my app in Azure]
grant_type=authorization_code
scope=openid
Please note that the values above were URL encoded appropriately.
I have even tried sending the global admin's credentials (username/password) in Step 2 as a last ditch effort but to no avail.
Any pointers in this regard would be greatly appreciated.
Thanks in advance.
The error you are receiving is a result of the configuration of your application. Specifically, you need to configure your app to have the proper permissions to create users when calling the AAD Graph API.
Take a look here at the permission scopes available through the AAD Graph API.
To create users you will need either Directory.ReadWrite.All or Directory.AccessAsUser.All. You can check that you have done this all correctly by looking at your access token, and confirming that these claims appear in your access token.
If you do not have these claims, go back to your app registration and make sure to add the appropriate permissions to the AAD Graph API.
Note that when you update your application's permissions, you will need to force a consent prompt again to consent to the new permissions you are requesting, otherwise the authentication will continue to succeed with the OLD permissions you have requested. In order to force consent, simply add &prompt=consent to the end of the authorize URL.
Let me know if this helps!
We are using Azure B2C to authenticate our users which is working fine. After signup we add some custom claims to our users which were defined in the B2C portal as "User attributes" using the graph api. When I log into the portal I can see these values have been set by our calls, as have some standard claims values(i.e. we also set Display Name by concatenating the givenName and lastName values).
The issue we are having is that after these values are set, they do not appear in the token retrieved by sending the access token to the authenticate endpoints until the user is logged out and back in again (which is obviously a pretty awful user experience after signup). It looks like the original id_token is cached when the user is created and that is what is being returned instead.
This doesnt make sense, as it seems perfectly sensible to let a user update their profile (claims values) while logged into an application and for those changes to take affect immediately without needing to re-authenticate?
Could someone explain how/if it is possible to force the cached id_token on the server to expire so that when we request a id_token using an access token, the id_token contains the most up-to-date claims values?
The issue we are having is that after these values are set, they do not appear in the token retrieved by sending the access token to the authenticate endpoints until the user is logged out and back in again (which is obviously a pretty awful user experience after signup).
Would you mind show the request detail about how you acquire the id_token?
Based on my test, I can acquire the id_token with updated claim successful like steps below:
1 . sign-in a web app
2 . update the DisplayName using Azure AD Graph like below:
POST: https://graph.windows.net/xxxx.onmicrosoft.com/users/{userId}?api-version=1.6
{
"displayName":"newValue"
}
3. re-request the id_token from OAuth2.0 Authorization endpoint using HTTP request without sign-out/sign-in( You also can capture the exact request using Fiddler when you sign-in the app)
GET:https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/authorize?client_id={clientId}&redirect_uri={redirectURL}&response_type=id_token&scope=email+openid&response_mode=query&nonce=HWUavSky1PksCJC5Q0xHsw%3d%3d&nux=1&nca=1&domain_hint={XXXX.onmicrosoft.com}
4 . the update claim value show in the new id_token as expected
To narrow down this issue, you may see whether there is cache for the id_token in your app.
OK so after nearly a month of waiting for a response, the official line is:
"Product Group identify that this is on the roadmap even that we still don't have a final date it should happen in a few months."
So basically they haven't acknowledged it's a bug and they can't tell when this scenario will be supported. Pretty poor level of support to be honest.
I am using passport-facebook to obtain an access token. According to here
https://developers.facebook.com/docs/marketing-apis#access-token
under "Get Access Token", I should be getting a 60 day long-lived token. This is the case if the scope is only ads_read. However, when I add additional scopes of manage_pages and read_insights, there is no expiration when I check via the Graph API.
This seems to be a bit contradictory to me. My theory is based on the getting an API key with ads_read permission manually from the below tool.
https://developers.facebook.com/apps//marketing-api/tools/
Using this tool and debugging it via the Graph API, I see one difference in that it the manually generated access token has the "Page" row under it, indicating that it is a page access token (to my own pages). Since it is a PAT, it will never expire, as expected.
My passport-facebook generated access token has the ads_read, manage_pages, read_insights permission as well and the expiration says "Never Expires". However, it does not have the Page row on it. Does that mean I can still use it forever to query the ads insights API?
This is my attempt at obtaining a non-expiring Marketing API access token.
Yes, if the expiration row says Never expires, you can continue to use the token for querying ads insights.
On a side note, is you generate system user access tokens, they also never expire. You can read more about it here - https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/v2.8