I followed the procedure here https://techcommunity.microsoft.com/t5/yammer-blog/yammer-api-with-aad-tokens-postman-collection/ba-p/857923 to create an app in Azure Portal and configure it.
Then I called this api to get a token:
https://login.microsoftonline.com/[my tenant id]/oauth2/v2.0/token
I passed in a x-www-form-urlencoded the following parameters:
client_id = [my client id]
scope = https://api.yammer.com/.default
client_secret = [my secret]
grant_type = client_credentials
I get back a token, but it doesn't work with any of the Yammer api calls. For example, when I call
https://api.yammer.com/api/v1/messages/following.json
Passing in the token as bearer token, then I get back http 401 with the message:
No user id found for O365 JWT
What does it mean? what might be missing?
Related
I am trying to use an App Registration to get a Token Bearer, but I don't have idea on how to do that using App registration. I have this in postman:
As far as I know, after you register an application (web,mobile app...) in Identity Server (Microsoft in this case), you will get client_id and client_secret --> This is grant-types: client-credentials https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
If you want to use grant-types: password, you also need client_id and client_secret to ask for access_token. https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
Your parameter is not assigned, and you need to select the Content-Type as: x-www-form-urlencoded, the complete request is as follows:
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
I am stuck with the authentication to use the REST API for getting subscription billing information from Resource Usage API
I would like to get help with how to obtain token for non interactive clients. I chose to use the REST API since azure client seems to not support Resource Usage API.
As the Authorization code grant (interactive clients) describes , I have called the request with my subscription id but token is not returned properly.
[root#visual src]# curl -XPOST https://login.microsoftonline.com/xxxxx/oauth2/token -d ""
{"error":"invalid_request","error_description":"AADSTS90014: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: 32981285-a021-45c3-8d2f-62db49d2c2f1\r\nCorrelation ID: d88849dd-20f9-462e-9ce9-66b6fde0170e\r\nTimestamp: 2017-03-04 04:06:44Z","error_codes":[90014],"timestamp":"2017-03-04 04:06:44Z","trace_id":"32981285-a021-45c3-8d2f-62db49d2c2f1","correlation_id":"d88849dd-20f9-462e-9ce9-66b6fde0170e"}[root#visual src]#
How can I obtain the token?
A token will not be returned if you don't supply some credentials :)
If you want to do a non-interactive request with client credentials for example, your request must contain (in URL-encoded form format):
grant_type=client_credentials
client_id=your-app-client-id
client_secret=your-app-client-secret
resource=resource-uri-for-api-you-want-the-token-for
The resource URI could be for example https://graph.windows.net/ for the Azure AD Graph API.
You can also get tokens with the password grant if you wish to use a username and password. In that case, you must send:
client_id, client_secret and resource as above
grant_type=password
username=your-username
password=your-password
How to login with username/password (end-user credentials) using OAuth2 and Microsoft login
https://login.microsoftonline.com/{app-id}/oauth2/token
Microsoft does not recommend passing username/password information for endusers. That is why they dont post guides for this. For security reason they want you to use the redirection to their login page. Use https://login.microsoftonline.com/{tenant-id}/oauth2/authorize to get there.
However it is possible and very easy to do this using their oauth2 rest api.
Create an http request to
base url: https://login.microsoftonline.com/{tenant-id}/oauth2/token
{tenant-id} //obtained from AzureAD config section
Use the following request parameters in the body section
grant_type = password //read up on the other grant types, they are all useful, client_credentials and authorization_code
client_id = {client-id}//obtained from the application section in AzureAD
client_secret = {client-secret}//obtained from the application section in AzureAD
resource = https://graph.microsoft.com //there is also the api https://graph.windows.net, use the latest and best one
username = {enduser-username} //example rofler#domain.onmicrosoft.com
password = {enduser-password} //example Hs782f8a
A successful response should include the access_token and refresh_token
Tested in year 2016
Recommended links
Postman
Microsoft Graph
Windows Graph
I have followed this link https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365 to
set-up the Daemon or Server Application to Web API authentication method in Office365 to get access token.
The sample access token request is given below
POST https://login.microsoftonline.com/{tenant-id}/oauth2/token
grant_type : client_credentials
client_id : {clientId}
client_secret : {clientSecret}
resource : https://{tenant}.sharepoint.com
For Example:
https://login.microsoftonline.com/cae788bd-7a55-4fb5-9d1f-3aa5365e14a/oauth2/token
grant_type : client_credentials
client_id : 1dd0a211-06f1-4f6a-a232-b3a8dcab829b
client_secret : ZWtkWm9M5Ucx5j29UoXPy7GKG+Hu0eNdVFYO+lH761w=
resource : https://{tenant}.sharepoint.com
From the above api request, I am getting an access token, when I tried to create the folder or accessing any other api's from the above access token then it is
showing an error as "Unsupported app only token". I have tried to call this webservices to get this error:
PUT https://{tenant}.sharepoint.com/_api/v1.0/Files/{parent-id}/children/{folder-name}
Authorization : BearerBearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE
Content-Type : application/json
Accept : application/json
But previously we have used the same Daemon or Server Application to Web API authentication method in Office365 to get access token and it was working fine.
And we have used the accesstoken to access the office 365 API's but now it is showing error as "Unsupported app only token".
Manoj,
I got the App-only working in a WPF application for the Mail API, did you setup the certificate?
According to the blog you mention
Because of the broad access these kinds of apps enjoy, there is an additional requirement for the app to successfully obtain an access token. Instead of using a client ID and client secret, the app must use an X.509 certificate with a public/private key pair.
See this link how to set it up:
Performing app-only operations on SharePoint Online through Azure AD