Environment for resource/permission token creation:
nodejs v14
#azure/cosmos
Environment to fetch docs:
rest api postman client windows machine
I am getting error when trying to fetch GET docs using created permission with below PermissionDefinition as:
{
id: "key-name", permissionMode: "All",
resource: "dbs/<db-name>/colls/<col-name>/docs/*",
resourcePartitionKey: ["partition-key"]
}
Also tried resource id as "dbs//colls//docs"
But getting same error, I am able to success fetch collection info with url as
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>
Below is error when trying to get docs from collection through rest api using permission resource token as:
{
"code": "Forbidden",
"message": "Insufficient permissions provided in the authorization header for the corresponding request. Please retry with another authorization header.\r\nActivityId: d6fe0b9e-c0a2-42a4-9378-50ccf1613aa7, Microsoft.Azure.Documents.Common/2.14.0"
}
using url as:
// to read specific doc
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs/<doc-id>
// to read all docs in collection
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs
Perparing auth token as
var permToken = "type=resource&ver=1&sig=UVlXYH0zKJyubcH9LAsBiw==;w7eUSmBFoA4dpcGNgV3Lm3kbFUE42IixXPEI2LVEr******************BPeWGl2pnkfN6V7FLX0leF/9WeDzUz06rq3po48jUSws5hNY8aR9LqMdSgwE1U4ygNbINMNe****************************v+u/ge9lKy10eZObL1u4FQMiE=;"
auth = encodeURIComponent(permToken);
So, doing encoding uri also on token got through permission
Other headers added to rest api are as follows:
[{"key":"Accept","value":"application/json","enabled":true},{"key":"x-ms-version","value":"2015-12-16","enabled":true},{"key":"Authorization","value":"{{authToken}}","enabled":true},{"key":"x-ms-date","value":"{{RFC1123time}}","enabled":true},{"key":"x-ms-documentdb-partitionkey","value":"[\"dl\"]","type":"text","enabled":true}]
Kindly pass detailed rest api doc when using resource/permission token, if there is any any change in specs. I already shared secondary key are success working for authorization part for same api request to CosmosDB
Related
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
I've created a Logic App, which is configured to authenticate using AD Outh according to this:
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
This Logic App it takes a lot of time to execute and to avoid timeout the response was configured with Asynchronous Pattern as mention in:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations
The authentication with Bearer Token works and the Logic App responses with a URL (in Location header) in which finally will be stored the response.
The problem is that I cant't access to this URL because I'm receiving the next error:
{
"error": {
"code": "DirectApiAuthorizationRequired",
"message": "The request must be authenticated only by Shared Access scheme."
}
}
The problem is that the URL returned in the Location header only contains SAS keys when I run the Logic App using SAS and I need use only OAuth for securiry reasons.
Now, if try to access to this URL using Bearer token the response is:
{
"error": {
"code": "InvalidUseOfOAuthToken",
"message": "The requested operation is not supported, Use of open authentication token is only supported for workflow trigger request."
}
}
Here an example of the URL:
https://prod-05.southcentralus.logic.azure.com/workflows/a98d6ba3becd449db74ac0527a64ec57/runs/08585941366423271731798768425CU04/operations/c4d9cb98-03b3-4c44-87c3-5752c2ed403c?api-version=2016-10-01
So, understanding that is not posible access to this URL using OAuth, How can I force the header location to include the SAS parameters by consuming the logic app using OAuth?
Finally, solution proposed was to use the functionality "Create expiring callback URLs" for Async Logic Apps,
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#create-expiring-callback-urls
This consists of creating a temporary URL for each execution, these URL’s contain SAS parameter which will in cretain date . These URLs are created from a call to the ARM Rest API using a Bearer Token and specifying the date on which it will stop working. With this way there is no problem using SAS because are temporary.
https://learn.microsoft.com/en-us/rest/api/logic/workflowversions/listcallbackurl
I have added a user in azure ad. Now using graph api I want to update its display name or let say password. I am referring to this guide https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
First of all, I am not sure I am using correct URL to update the user but below is what I am using:
https://graph.microsoft.com/v1.0/users/john#<myorg>.onmicrosoft.com
I am passing the userName of the user which I want to udpate in the url. Please let me know if this is not correct.
I am including the OAuth token as bearer token in my request and posting the below json:
{
"accountEnabled": true,
"displayName": "john12"
}
From the above json, I want to change the display name from john to john12. But I am getting below error:
{
"error": {
"code": "Request_BadRequest",
"message": "Specified HTTP method is not allowed for the request target.",
"innerError": {
"request-id": "536fd7c1-db46-4927-9732-169da778811c",
"date": "2019-06-06T04:58:26"
}
}
}
Please can anyone please let me know how can I update the existing user properties. Thanks
Most probably you're not using HTTP method PATCH. I say this looking at the error message Specified HTTP method is not allowed for the request target.
If you use anything other than PATCH, like a POST you will end up getting this error message.
The JSON body for your request looks fine. I tried updating an existing user with similar JSON and sending a PATCH request from Microsoft Graph Explorer and it worked fine.
I could reproduce the same error message that you're seeing when I used a POST or PUT call from Microsoft Graph Explorer.
Although same request URL with same JSON body worked fine once I changed POST to PATCH. Later on querying the user again (GET), I could see that displayName had been updated correctly
I keep getting a AuthenticationFailed error with a InvalidAuthenticationTokenAudience inner error when attempting to query the /environments endpoint.
I have already created an app in the Azure Active Directory, given it access in the time series insights management portal and I can already get an Oauth 2.0 Access token from the auth URL.
I have tried giving the token url the 'https://api.timeseries.azure.com/' resource/audience/scope but the API keeps returning the same error message:
{
"error": {
"code": "AuthenticationFailed",
"message": "Server failed to authenticate the request. The token has been obtained from wrong audience or resource.",
"innerError": {
"code": "InvalidAuthenticationTokenAudience",
"message": "The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should
exactly match (including forward slash) with one of the allowed
audiences 'https://api.timeseries.azure.com/'."
}
} }
I'm using Postman with the Oauth 2.0 authentication type, the client credentials Grant Type and send as basic Auth Header option for the token request.
Has anyone tried this with success?
Update 01:
The decoded (using JWT as suggested in comments) payload portion of one of the tokens shows the that the aud field is 00000002-0000-0000-c000-000000000000. Which is definitely wrong.
Based on the exception, it indicates that the resource is not matching https://api.timeseries.azure.com/ when acquire the access token.
So please make sure that the resource is https://api.timeseries.azure.com/, for more information please refer to the screenshot.
Get access token
I test Get environments API, it works correctly for me.
GET https://api.timeseries.azure.com/environments?api-version=2016-12-12
I am working on the Azure Redis Cache, and I am using a REST API to create a cache. The response I get is :
HTTP/1.1 401 Unauthorized
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed. The 'Authorization' header is missing."
}
}
I could not find any Authorization header in the documentation. Can someone suggest the procedure to generate the authorization header ?
Essentially creating an Azure Redis Cache account operation is an Azure Resource Manager (ARM) operation. Each ARM operation requires an authorization header that must be included in the request. Because you didn't include this header in your request, you're getting this error.
Please see Resource Manager REST APIs for detailed instructions on how you can authenticate your ARM API requests.