I have a requirement to fetch the details from the Dataverse tables using the REST APIs and to do the same I need to generate the access token to send the valid Authorization header. I have gone through the Use OAuth authentication with Microsoft Dataverse and Register an app with Azure Active Directory and followed the steps. Now to generate the access token I am using the POST method with https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token endpoint with and passing the grant_type as client_credentials, resource as https://management.core.windows.net/ along with client id and client secret with content type as application/x-www-form-urlencoded. But I am getting AADSTS901002: The 'resource' request parameter is not supported.
EDIT
In the API Permission tab I have added the delegated permission.
In the Authentication tab, I haven't selected any type for flow, Do I need to change here?
Also please note that In the Token Configuration tab no claims or group has been added yet and Expose API tab no scope and authorized client application is added. Please let me know if I need to do any changes here.
UPDATE
When I do not pass the resource param and send the scope with https://{orgId}.crm5.dyanamics.com/.default along with client_id, client_secret and grant_type I am able to get the access token, but when I use this token to fetch the data using https://{orgId}.crm5.dyanamics.com/api/data/v9.0/accounts I am getting The user is not a member of the organization
The error AADSTS901002: The 'resource' request parameter is not supported indicates that the resource provided in the request is not correct.
As you are trying to generate access token for Dataverse API, the resource should be below:
https://admin.services.crm.dynamics.com/
Related
I have a configured and functioning Azure Data Sync, that I would like to trigger on demand by an API call.
I used the learn.microsoft.com tryit functionality at
https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/sync-groups/trigger-sync?tabs=HTTP#code-try-0
to build my API call.
That functionality returns a Bearer Token for access and API calls function until the token expires.
I set up a second API to get a new bearer token, by defining an application in my account with a shared secret. That API returns a bearer token, but when I use it in the API to trigger the Data Sync, I receive permission error messages.
In the token request I initally tried my application id in scope to get a token, that resulted in
The access token has been obtained for wrong audience or resource '622....330'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com
I then changed the scope to be https://management.azure.com
ClientID does not have authorization to perform action 'Microsoft.Sql/servers/databases/syncGroups/triggerSync/action'
over scope '/subscriptions/...fd2e,,,/resourceGroups/Default-SQL-WestUS/providers/Microsoft.Sql/servers/iv...f/databases/dbname/syncGroups/syncname'
I have tried adding permissions for
Access Azure Service Management
Azure SQL Database
Microsoft Graph
with no change in results.
I don't know if this is an issue of selecting the correct scope when requesting the Bearer token or assigning additional / correct permissions to the Application with the shared secret. Or am I approaching getting the Bearer token the wrong way.
Thanks,
Jim
I tried to reproduce the same in my environment and got below results:
I created one Azure AD application and granted API permission like below:
I generated an access token via postman with below parameters
POST
https://login.microsoftonline.com/cdf429fe-37a2-4a79-8e40-XXXXXX/oauth2/v2.0/token
client_id:abbc8b66-7bb9-4901-b04c-xxxxx
scope:https://management.azure.com/.default
client_secret: OzE8QXXXXX
grant_type:client_credentials
Response:
When I try to run the query, I got same error as you like below:
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/syncGroups/{syncGroupName}/triggerSync?api-version=2021-11-01
To resolve this issue, you need to assign SQL DB contributor role to your application like below.
Go to Azure Portal -> Your subscription -> Access control (IAM) -> Add role assignment
You can assign SQL DB Contributor role role to your application by selecting it as below:
After assigning the role, I generated the token again and got response successfully when I ran the same query.
You can try the same in your environment by assigning SQL DB Contributor role to your application.
I enabled oAuth in Azure API management. Then using ClientId, Client Secret, Scope, Access Token URL & Grant Type, I was able to get the access token. How can I get the refresh token from the API ?
To get refresh token from the API, you need to add offline_access permission in the scope.
Please note that, Client credentials flow works with permissions of Application type only. So, you won't get refresh token using this flow as offline_access permission is of Delegated type.
Instead, you can make use of Authorization Code flow as Grant Type.
I tried to reproduce the same in my environment via Postman and got below results:
In my Azure AD application, I added API permissions like below:
To get refresh token, change the grant type to Authorization Code and include offline_access in the scope like below:
When you selected Get New Access Token, one new window will open where you have to login with your credentials as below:
After successful authentication, you will get both access token and refresh token like below:
You don't have to make two separate calls like one to get access token and another one to get refresh token.
Instead, you can directly add offline_access in the scope along with custom Api scope.
I created a multi-tenant app on Azure Portal and sending request to get token with application's client Id. I am using the following URL to get token on Microsoft Azure AD
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Sending a get request with parameters client_id={clientId}&response_type=token&scope=user.read+openid+profile+offline_access
However it is returning an access_token on given call-back url
http://localhost:8082/my-callback-url#access_token=EwCIA8l6BAAU6k7%2bXVQzkGyMv7VHB/h4cHbJYRAAATb8xtkaxI5xsVkWM6etOevj7ADopBYP1/hj%2bUz%2bf1ZXH4lpykHkES1XBRBDNRDWwdqAA%2brO2tFlMygiuusVx1EJKvqeV0rPPaNDNX9azpWGzS45BN6WmXKcxzX623enNYJOdo%2bYyTtaMipFapvABOsjHve1nVwfq9zqpmcldnIhXBeGefdQsgqmBNjeAyAbWzifLNtdz6Ybxnbt8nMY5adb82Z8tsfddfDdjrqk%2bu%2b85%2bxKXO9Xop3wdRvrVC9FM46RniA6H3NUKjOMTJAsX4IQLjGjXM4eq9o95lmSzF3zgFOXI1rYwkDRVsFsLOgP8tx0occDcuVPQgMalXR6JREDZgAACIJRWLYJGUcWWAKPx26NmroNGG1xEkPB1kLeGk0Hf8324YZs2InsGvQBFUMU4XzGGNdj0s5rLYKK2ictDstHV1daM241F1M5FiaX1qCgdRXneR9uPzUsSIBOzPJtT1dD4k%2bDxp6Nr4hEnDPlymp5X0SR4v5vUA3aRhnsvmEzBVQDKR7cFvT7NSqVHSr/tTv/epdx81qgJcd6S6xF8oaMc7mn76jgU4YBn8jXYnTfGhUvhNZ8RJyyl71AqZrGr7JS2kStselZUgjavLqc9DdQD9cwPSWu1ketKmGgCjt6lVB3nlaw8Wxq%2by2/YhPznTRFD2wj/vzDOdTzCcZ9mJV%2bKMGcXYQqBiGE0MF8%2bWA1EKSXniT5UiegTfJkvnsgtx6G6sdV0rzFM7Xa9d/dHNDfyV5oGedZtJXE1WCUrEIUZZm/HNhhQyh0WSG0gWm3vOY7NAs13vey9lcIQ6Fllu6W/Ty3HE4llFp/9a3lNcujmlxsCASFUOX6R54xPJMt1ipF5lh5uyZCPoUda46UsrCDnNRg0dhuoSVwJMDHzDbs4NXhX4nhTOze/9koz6p5Ao4DtJ20LqmcylZDoLxUhXIU5vvnBYpiHwanBt2E/rG%2bqVEQbRy/v9fhi0chY0XPzldIm/Lz2l0%2b0MpJ/4l53f9YTRLdEMD8X8Umi35ZvpK9arAqgdRkx4/oWG9m8sxOMY2eASetiAJaU8yjtETgHpBGJTXbDVDpNA1s5NGc9QC%2brcSnGDV0BKIDYxBISR8TiJQVUaPqbNU1Mj3kGyQFnfS0jS83VGVfFCZ4cHkhDq/awLh2JrR0Ag%3d%3d&token_type=bearer&expires_in=3600&scope=User.Read%20openid%20profile
How can I validate this access token? or how can I get a JWT token instead?
Your scopes are user.read+openid+profile+offline_access.
That first one is a Microsoft Graph API scope.
It's actually short-hand for https://graph.microsoft.com/user.read.
So you will get an access token that is meant for Microsoft Graph API.
The other scopes you defined affect the id token (openid, profile) or get you a refresh token (offline_access).
This means you cannot and should not validate the token.
Only Microsoft Graph API should be validating this token, since the token is meant for it.
If you want an access token for your API, you need to use a scope defined in the API's app registration (Expose an API section).
I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.
I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.
Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?
The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.
Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!
You can set the resource ID as a parameter to the Auth URL.
Auth URL: https://_______________?resource=https://_________
I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....
I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...
This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.
Adapted from this post
set up a dedicated 'postman-test' app registration in AD tenant,
with permission to access your target API. Ensure it has the postman callback url previously mentioned.
fill in Postman's OAuth helper form with following details:
Token Name – Any name to save the token.
Auth Url – https://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
Access Token Url – https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID – Client Id from configure tab of “postman-test” app.
Client Secret – Client secret copied from configure tab of “postman-test” app.
Grant Type – Authorization Code
Note:
tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.
testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping
I am trying to understand how Azure Active Directory Graph API works for adding users to the directory. According to this:
http://msdn.microsoft.com/en-us/library/azure/dn130117.aspx
I need to acces the graph API URL and pass in something called a "bearer token" in the "Authorization" header so that it will allow me to add the user specified in the request's body. However, I have no idea where I can get one of these tokens. All my research points to the user having to be already authenticated to get a token, which kind of beats the point, since I want to add the user so he can authenticate.
I have configured my app in the Azure Management Portal, and thought the bearer token was the "Client ID" that I get when I go to my added applications in the Directory. But when I pass this number to the Graph API, I get "Access Token Missing or malformed". I am testing this using the Fiddler Web Debugger app.
These 2 posts describe very thoroughly the steps to get the required token in 2 different scenarios:
Authorization Code Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
Client Credentials Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If you want to use the Client Id and Client Key to authenticate your client to Azure Active Directory, then you should read the 2nd article. The first one is to authenticate an already existing user.
If you want to programmatically get the OAuth2 token, then you could use the AAD authentication libraries: http://msdn.microsoft.com/en-us/library/azure/dn151135.aspx