I have an issue when trying to hit an endpoint in business central though a node application.
Using OAuth2 in postman I am able to get a desired response as seen below
This my configuration for Authorization:
but when trying to hit the same endpoint in Node using MSAL I get a 401 response.
This my configuration
I even tried taking the token generated by postman and inserted it into my application and was able to hit the endpoint with the desired response. I'm not sure what is missing from my application that's causing it to get a token that when used returns a 401 response.
What's missing from my application or is it something that I need to do in Azure or Business Central ?
I'm not an expert on Node, but I have used MSAL with PowerShell.
Getting the token through MSAL.PS (the PowerShell module for MSAL) you have to set the Scopes that you are requesting a token for.
In this case the scope should be https://api.businesscentral.dynamics.com/.default when you want to access the Business Central APIs.
Related
I am trying to fetch ticket using azure api, but it's showing "Unable to complete authentication for user due to looping logins" while making an api call, i have passed proper Authorization header and provided correct personal access token in base64 encoded.(see fig)
I am using GET https://dev.azure.com/{organization}/{project}/_apis/wit/workitems/{id}?api-version=1.0 for making an api call.
link: https://learn.microsoft.com/en-us/rest/api/azure/devops/wit/work-items/get-work-item?view=azure-devops-rest-6.0
am i missing something? Looking for suggestion.
On Postman, to execute RESI API using PAT (Personal Access Token) as the authentication, you should set on Authorization tab, instead of directly on the Headers tab.
I created an Api in azure and recently tried to change to authentication method to access it via OAuth2.
I requested a token using https://login.microsoftonline.com/[TENANT]/oauth2/v2.0/token/ and tried to use it to access my api via postman.
Then I tried to use the received token to make a request to my api:
I used Postman's Authorization pane to specify OAuth2.0 as the authentication method and set the Grant Type configuration to "implicit" and sent a request.
Configured like this, the request goes through using the "http" version of my api but as soon as I try to use the "https" version, I get a 401 error "Unauthorized".
Have I configured my api wrong ? Or am I using the wrong url to authenticate ?
Thanks a lot for your time.
After a lot of research I found out what was wrong :
I had to add the application ID in the allowed token audiences of identity provider (in the azure app service, navigate to authentication > locate the identity provider > click on edit > at the bottom of the page add the your app registration's application ID. For good measure I also added api://[APPLICATION ID]/.default and api://[APPLICATION ID]
There was still some authentication code left in the source code of my api. When I was trying to connect I sometime had a response which consisted of HTML titled "Sign in to your account". It was caused by a segment of code in the startup.cs file of my api which verified the user who made the request against my Azure AAD. After removing it I no longer had the error
I have set up an instance of Azure FHIR with an Azure FHIR proxy using this tutorial:
https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration
I am unable to call the proxy without getting the following error message:
You do not have permission to view this directory or page.
I have created a token successfully using the following tutorial:
https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial
I have created an app service principal in Azure with the permissions to access the FHIR proxy:
https://func-fhir-proxy-2.azurewebsites.net
I am generating the token using the following in postman:
Auth URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/authorize/?resource=https://func-fhir-proxy-2.azurewebsites.net
Access Token URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/token
Client ID: 4d138742-44c0-42cb-9878-8647a1d2ef17
Client Secret: Well..that's a secret!
Scope: openid profile
State: 12345
Postman returns 3 tokens: Access_token, Refresh_token, Id_token.
I have tried each token and all return the same 401 error.
ID token JWT looks like this:
I have tried calling the FHIR proxy API's, due to the tutorial I am not 100% which are the correct URLs:
https://func-fhir-proxy-2.azurewebsites.net/api/fhirproxy/Patient
https://fhir-test-apis.azurehealthcareapis.com/Patient/
None of this works, I just keep getting the same error. Does anyone know what I am doing wrong? Should I be calling the FHIR proxy API using the token? If so, why is the API not letting me in?
I managed to fix the issue. I found that the resource ID was needed in the auth URL:
This can be obtained from Enterprise Applications:
Also, creating two separate app registrations:
The link ending with ".../api/fhirproxy/Patient" is correct for the proxy deployment.
I'd suggest that you do a quick test that you can access the FHIR API without the proxy. You can use the existing deployment and follow instructions at https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial.
Once you get that working, test the FHIR API with the proxy. You can start with the proxy that has the its security disabled (The FHIR api still requires security and you cannot disable it). Once you get that working, you can enable the proxy's security.
Since the proxy is a web app acting as a proxy, you will need two sets of credentials, one set for the FHIR api itself, which you specify in the proxy app, and one set for the proxy web app, which you specify in your client app, e.g. Postman or curl.
The reason for the error is actually very simple, you are using the wrong scope.
Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.
Therefore, according to your requirements, try to change the scope to: https://func-fhir-proxy-2.azurewebsites.net/.default
By the way, if you want to call api, you should use access token instead of refresh token and id token.
I'm trying to execute a REST API call in SharePoint Online. For this, I wanted to see if I can register an app in Azure AD. I believe I was able to do so and I'm able to get back a token. However, upon executing the GET request Postman always throws {"error_description":"Invalid issuer or signature."}in the body of the response.
Here're the screenshots detailing everything:
Don't mind the Postman variable {{TenantID}}. That's not the issue, I also tried with the writte-out tenant ID - doesn't make a difference.
So what I was unsure about at first was the 'Scope' parameter in the "GET NEW ACCESS TOKEN" in Postman. I tried various scopes, for example
'Sites.FullControl.All' or 'https://microsoft.sharepoint-df.com/.default'. But that didn't change the outcome. Still, is the scope I set correct for SharePoint REST API? I know that for the Microsoft Graph 'https://graph.microsoft.com/.default' works.
I also tried different app permissions, not just
'Sites.FullControl.All'
Do you have any idea what the cause of the error might be?
Thanks.
The sharepoint permission Sites.FullControl.All is of type Application.
For this type of permission you MUST use the client_credential flow.
The Client Credentials grant is used when applications request an
access token to access their own resources, not on behalf of a user.
Try to call the auth url with:
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
Otherwise if you want to access the Sharepoint on behalf of the user change the permission type to delegated
getUserInfo within api Explorer dies
We were getting a 401 when attempting to use the REST getUserInfo endpoint. So, we decided to test it using the Docusign provided API explorer. Same error, but it also gives a response of "internal_server_error"
Does that endpoint just not work?
After further testing, we reauthenticated and used a brand new access token, instead of the one re-issued from the refresh token request, and it worked. Not sure if that endpoint is not available after a refresh token has been re-issued?
Note that the host for the method is different than for the other API methods, it's
account-d.docusign.com for the developer sandbox
account.docusign.com for the production platform.
It only works with a bearer token.
The refresh gives you a new bearer token, that should not be an issue.
Docs: https://docs.docusign.com/esign/guide/authentication/userinfo.html