I use Postman to test my API hosted in Azure. First I get an Access Token like this
Since I use the grant_type ´client_credentialsI have to use the default scope like this api://my-app-id/.default` as explained here.
But one of the endpoint of my API requires a specific scope, so the call fails because my access token does not contain this scope.
How am I supposed to test from Postman with the required scope ?
If you use Client Credential Flow to obtain an access token for an api protected by Azure, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).
Then you need to define the application permissions by editing the list of api applications.here is an example.
Next, grant application permissions to the application:
Refer to this document and use Client Credential flow to get access token here:
1.First you need to get the administrator's consent:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
2.Then you can get the access token by sharing the secret:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=api://your-app-id/.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Parse the token and you will see your custom roles:
Try using the token to access your API.
Update:
According to your mistakes, there is user interaction, so if you want to use a user token, you should not use Client Credential Flow but auth code flow, and grant client application Delegated permissions.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload
&state=12345
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
Parse the token and you will see your custom scp:
Related
I have my confidential client and resource client registered in AAD.
The confidential client has API permissions to access the resource client.
After I logged in from the confidential client with my credentials how can I can make a request to the resource client?
Based on the ms docs
For example, if your web API's application ID URI is https://contoso.com/api and your scope name is Employees.Read.All, the full scope is:
https://contoso.com/api/Employees.Read.All
The example is not enough for me to understand like where's the access token?
You could use auth code flow to obtain the access token.
First, get code by the url in your browser. You need to login in this step.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https://contoso.com/api/Employees.Read.All
&state=12345
Then, get access_token with the code.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={your-client-id}
&scope=https://contoso.com/api/Employees.Read.All
&code={the code from the previous step}
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret={your-client-secret}
About implicit grant flow:
This flow is usually used for single-page apps, and the implicit grant presents more risks than other grants. Please check if the implicit grant is suitable for your app, see here. If not, I still recommend you use auth code flow.
Note: To let it work, you need to select access tokens under the Implicit grant section in the portal first, navigate to App registrations -> your application -> Authentication.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=https://contoso.com/api/Employees.Read.All
&response_mode=fragment
&state=12345
&nonce=678910
&prompt=none
I have this configured in my Azure Active Directory App Registrations. After the successful signin-oidc the response has id_token in the formdata, but I'm also looking for the access_token as it is checked in my configuration.
You may not set the token response when executing the login request, try to set the response_type to id_token+token, you will get id_token and access token.
Execute the request in the browser:
GET https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2axxxxx/oauth2/v2.0/authorize?
client_id=305c9958-8f6f-4bcf-a4ec-06cb4faxxxxx
&response_type=id_token+token
&redirect_uri=https://jwt.ms
&response_mode=fragment
&scope=openid+profile+email
&state=12345
&nonce=678910
Please see: Get an access token
I am trying to get an access token from Azure Active Directory, where I have registered an app and uploaded a certificate (in Certificates and secrets blade). AD should use this certificate to sign the access token that it will send in the response. I would like to get the access token response in Postman.
Please suggest a general method or steps to setup postman and call AD.
Please see this sample.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 // Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
&grant_type=client_credentials
I think all the parameters are clear except client_assertion, which is the aforementioned signed JWT token.
You need to generate the JWT Token by following certificate credentials.
And then use this client_assertion in Postman.
I have question about getting access token, with refresh token with narrower scope.
I send this request to azure token endpoint
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scopehttps%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi%2FReport.Read.All%20https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi%2FDashboard.Read.All%20https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi%2FDataset.Read.All
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
If I remember correctly, OAuth2 does allow this operation. I would like to ask whether im doing something wrong, or azure doesnt implemnt this funcionality ?
With Azure AD, the scope parameter defines the minimum scopes you want to have in the token.
So the token can still contain other permissions if they have been consented.
As far as I know, there is no way to control this behaviour.
I am making OAuth 2.0 auth code authentication flow with multi-tenant application.
Here is my authorize url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=my_id&prompt=consent&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauthorize&response_type=code&scope=openid+offline_access&state=17
It goes fine and I receive auth_code. Then I make request with this auth_code to token_url and receive a lot of information, like:
token_type
scope
id_token
access_token
refresh_token
expires_at
ext_expires_in
Seems fine to me, but when I make request on API with access_token like:
https://management.azure.com/subscriptions/my_sub_id/locations?api-version=2016-06-01
with headers:
Content-Type:
- application/json
Authorization:
- Bearer EwBQA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAV1IHgHb4dOWblzfd/YsSuFicAMDYbua17QivnAT9/pIaeKAg3uKsK5VGqWLzjMOUQrCpd7R1RAM6RkzI0u8e4rpO7DISG7qLso5H5+U1jb+38/j1urcwlXMMxhy83ZXmdpkLXpZV+vcOV...
It responds with 401 error
body:
encoding: UTF-8
string: '{"error":{"code":"InvalidAuthenticationToken","message":"The access token is invalid."}}'
To be honest I think something wrong with my access_token. It seems not like JWT for me. Documentation says it looks like:
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCEV1Q..."
But my access_token looks like:
"access_token": "EwBYA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAZDe7JE/MPLoAi+Fr+1Xxq5eBe5N9l8Q+c4QjkY5PGEzRnBpPe7+v6h+PLdh1cceBQx+/JsB2QCrYSCt7x/zGsQAhwoY/"
Is it fine?
Here is my permissions for application:
Permissions
The main issue you have here is that you have only asked for an access token for the scopes openid offline_access. The resulting access token will be for Microsoft Graph (https://graph.microsoft.com), not for the Azure REST API (https://management.azure.com).
To indicate you would like a token for a given API, the scope parameter in your authorization request should include the delegated permission you would like the app to have for the API. In the case of Azure REST API, there's only one delegated permission: user_impersonation. The identifier URI for the Azure REST API is https://management.azure.com, so the scope value you want to use is:
openid offline_access https://management.azure.com/user_impersonation
Two more important notes:
As you've discovered, you will not always be issued an access token as a JWT which you can decode peek at. The format of the access token is an agreement between the service which issued the token (Azure AD or Microsoft Accounts, in this case), and the service for which the token was issued (Microsoft Graph, in this example).
You should not always include prompt=consent. prompt=consent should only be used if you have already tried signing in the user without the user needs to be re-prompted for consent for a new permission.
If you simply include the required scopes in the scopes parameter, the Microsoft Identity platform will take care of figuring out if it needs to prompt for consent or not. If you always include prompt=consent, you will find that many organizations will be blocked from accessing your app, because they've disabled the ability for users to grant consent themselves (and this parameter specifically states that you require the user to be prompted again).