I have to use the command for log analytics API from azure to get access token, however, didn't respond.
use the value accordingly, anything needs to add other than the value as follows.
POST /e7xxxxxxx/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=03xxxxxxxxxx
&redirect_uri=http://localhost:3000/login
&resource=https://api.loganalytics.io
&client_secret=xxxxxx
this command supposes to respond 200 ok which is given you an "access token" but the command stays and responds nothing. if you have any suggestions or recommendations on how to use LogAnalytics with API that will be very helpful.
You are using the client credential flow v1.0 endpoint, the redirect_uri is not needed, you could use postman to get the token, you could refer to the sample below which works for me.
Related
I am trying to get an access token from Azure Active Directory, where I have registered an app and uploaded a certificate (in Certificates and secrets blade). AD should use this certificate to sign the access token that it will send in the response. I would like to get the access token response in Postman.
Please suggest a general method or steps to setup postman and call AD.
Please see this sample.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 // Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
&grant_type=client_credentials
I think all the parameters are clear except client_assertion, which is the aforementioned signed JWT token.
You need to generate the JWT Token by following certificate credentials.
And then use this client_assertion in Postman.
I'm trying do develop an application that makes use of the Power BI API.
The problem is, even though I have a valid authentication token, every API endpoint I tried to access so far returns a 403 (Forbidden) Http status with no content on the response body.
I think the token I'm getting is valid because when I try to use the same token the next day it gives me a "Token expired message".
I'm using a corporative Azure Active Directory account where I'm not an administrator. But I have full access to the Power BI workspaces and Reports on it's web interface.
I'm currently authenticating with Azure AD Oatuh2 v1 but I also tryed v2 with no success (I'm still using v1 because on v2 I'm not sure my scope and resource parameters are right).
Here are the requests I'm sending:
GET
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=<my client id>
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&response_mode=query
get the authorization code on the redirect at localhost:8080/azureLogin/authorize then
POST https://login.microsoftonline.com/{tenant}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<my client id>
&code=<the code I just got>
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&client_secret=<my client secret>
As "tenant" I tried both "common" and my organization id.
But when I try to access https://api.powerbi.com/v1.0/myorg/reports with the Authorization: Bearer <token> header. I get a 403 Forbiden response.
On Azure AD I can see my user has given all permissions to this application I registered.
Am I missing something? How can I solve that?
To make the answer visible to others, I'm summarizing the answer shared in comment:
You missed the resource parameter, you are access powerbi, so it should be
resource: https://analysis.windows.net/powerbi/api
The resource is app ID URI of the target web API (secured resource). It may also be an external resource like https://graph.microsoft.com, https://analysis.windows.net/powerbi/api etc. This is required in one of either the authorization or token requests.
I am currently following this guide on setting up authorization for an azure function. I'm currently trying to test the auth portion in fiddler separately from my web app to ensure I can get a valid token. I am able to successfully retrieve an authorization code however after that, I need to post some data to exchange the authorization code for a token. When trying to do that, I am being returned a 502 with message: DNS Lookup for "mytenantname.onmicrosoft.com" failed. System.Net.Sockets.SocketException No such host is known as if the host does not exist at all. My post to the endpoint looks as follows where B2C_1_FunctionsPlaygroundSignInRegister is the name of my user flow:
POST https://mytenantname.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_FunctionsPlaygroundSignInRegister HTTP/1.1
User-Agent: Fiddler
Content-Type: application/x-www-form-urlencoded
Host: mytenantname.onmicrosoft.com
Body:grant_type=authorization_code&client_id=MyApplicationIdForTheAzure-AD-B2C-ap-here&code=myCodeHere&redirect_uri=jwt.ms
For reference, here is the working get request I send that I can type in a browser, be prompted with a login/register screen, and be returned an authorization code after logging in:
https://mytenantname.b2clogin.com/tfp/mytenantname.onmicrosoft.com/B2C_1_FunctionsPlaygroundSignInRegister/oauth2/v2.0/authorize?client_id=yApplicationIdForTheAzure-AD-B2C-ap-here&nonce=2&redirect_uri=https://functionapi.azurewebsites.net/.auth/login/aad/callback&scope=https://mytenantname.onmicrosoft.com/api/read&response_type=code
Can someone please point out where I'm going wrong here? I've now spent a great deal of time on this issue and am out of ideas.
Your POST url and Host header are wrong.
See this section -
OAuth 2.0 authorization code flow in Azure Active Directory B2C
POST fabrikamb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in HTTP/1.1
Host: https://fabrikamb2c.b2clogin.com
Note the Host header. That means your Fiddler request should read something like this:
POST https://mytenantname.b2clogin.com/mytenantname.onmicrosoft.com/oauth2/v2.0/token?p=...
Host: mytenantname.b2clogin.com
P.S. This is way better than Fiddler for what you're trying to do -
https://oauthdebugger.com/
I am trying to use authorization code grant flow to authorize to my app Documentation here. I am building an app to support auto user provisoning to Docusign using REST APIs. i have created a developer account and have obtained Integrator Key and the secret key.
I made following request to obtain the auth code :
account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=<MY_CLIENT_ID>&redirect_uri=<localhost> and the response on the browser with the code.
I am using curl command to generate tokens using the following request :
curl -iX POST account-d.docusign.com/oauth/token -H "Authorization: Basic base64_representation_of_clientId:clientSecret" -d 'grant_type=authorization_code&code=<Auth Code recieved in the previous step>'
However I am getting this response :
HTTP/1.0 301 Moved Permanently
Location: account-d.docusign.com/oauth/token
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
What can be the possible reason for this error response?
Perhaps try adding the protocol (https://) to the request URI?
curl -iX POST https://account-d.docusign.com/oauth/token...
Following on from this question:
AADSTS50013: Assertion audience claim does not match the required value
I've now successfully got the web apps running with this security model:
SPA application using adal.js/adal_angular.js to authenticate via AAD.
Returned token is passed to web api [API1] that runs on the same machine.
That web api gets a new token on behalf of the user to access a downstream API [API2].
The downstream api gets a new token on behalf of the user to access another downstream API [API3].
Now, when I have [API2] running locally, this is all working.
However, when I deploy that web app to my Azure subscription, and attempt to call it (without changing anything else other than the url in the REST API call from [API1]), I get the following:
{"Message":"Authorization has been denied for this request."}
There doesn't appear to be any other error details returned or in the Fiddler trace. Comparing the jwt token payloads between the call that works and the one that doesn't, doesn't reveal much. They appear the same other than the expiry claims and the "aio" (not sure what that is).
The only change is the URL of the deployed web app (from http://localhost:8080/ to http://mywebappname.azurewebsites.net/)
Note that the web app is deployed into a different AD tenant to the one where the app registrations and [API3] are located, but I didn't think this mattered.
Any thoughts out there on what I might need to change when I deploy, or how to troubleshoot this further?
Update: Request works with Curl
Making the same request using curl is working:
curl -H "Authorization: Bearer ey..." http://mywebapi.azurewebsites.net/api/resource
So the issue appears to be how I'm making the request in my C# code? Comparing the headers in Fiddler, I don't see any difference.
This is the Fiddler trace from curl that is working:
GET http://mywebapi.azurewebsites.net/api/resource HTTP/1.1
Host: mywebapi.azurewebsites.net
User-Agent: curl/7.46.0
Accept: */*
Connection: Keep-Alive
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ<snip>
This is the Fiddler trace from my code that is not working:
GET http://mywebapi.azurewebsites.net/api/resource HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ<snip>
Accept: */*
User-Agent: RestSharp/100.0.0.0
Host: mywebapi.azurewebsites.net
Accept-Encoding: gzip, deflate
Here is the request from C#:
var restClient = new RestClient(serviceUrl) { Timeout = timeout};
var restRequest = new RestRequest(apiEndpoint, Method.GET);
var bearerToken = $"Bearer {securityToken}";
restRequest.AddParameter("Authorization", bearerToken, ParameterType.HttpHeader);
var response = restClient.Execute(restRequest);
On the Azure web site logs, I can see that the authentication type for the successful curl request is "JWT", however for the failed requests from my code they are "anonymous".
Somehow the header must be being stripped despite it showing up correctly in the Fiddler trace? Is this possible?
In an unrelated issue, I had to delete all untrusted certificates from my machine (Internet Options->Content->Certificates).
And I noticed after doing this, my problem was resolved. It was a very long list of certificates, so I don't know which one(s) were causing the problem, or why.
Given the lack of responses, its obviously a very obscure issue, but unfortunately we didn't get to the bottom of it. If it occurs again, I can be a bit more methodical when I do it.