I have a .net core API which deploy on the azure app service,it is register as a azure ad application.
I also add a API scope in expose an API,which is
https://domain.name/Resource.GetStatus
I also register another application and give the delegate API permission.
Now I want to request a access token with scope in it in postman,but when I put the value to the scope
such error will happen
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://aa-cdapublic-dev.azurewebsites.net/Resource.GetStatus is not valid.\r\nTrace ID: 8256ed8d-65e8-4ad4-865b-0a6fbf473500\r\nCorrelation ID: 65cef3a9-8aa1-4103-8c91-ac2007e27bc0\r\nTimestamp: 2020-04-21 03:47:52Z",
"error_codes": [
70011
],
"timestamp": "2020-04-21 03:47:52Z",
"trace_id": "8256ed8d-65e8-4ad4-865b-0a6fbf473500",
"correlation_id": "65cef3a9-8aa1-4103-8c91-ac2007e27bc0"
}
my postman request as belows:
method :post
URl:https://login.microsoftonline.com/devglobal.onmicrosoft.com/oauth2/v2.0/token
grant_type:client_credentials
clientid:******
clientsecret:******
scope:https://domain.name/Resource.GetStatus
I haven't try it in a SPA page with implicit flow yet,first of all I want to check it whether my settings is correct or not
If you use client_credentials as "grant_type", you need to set https://domain.name/.default instead of https://domain.name/Resource.GetStatus as scope (otherwise it will show the error message as you mentioned in question). By the way, if you use client_credentials, you can't get the delegate permission. So you should use "implicit flow". I test it in my side with "implicit flow", it can get Resource.GetStatus from the access token success.
Update:
decode the access token:
Related
I'm trying to do postman access token request to reach the following api :
however the result returned is always the same:
"error": {
"code": "Unauthorized",
"message": "Unauthorized",
"target": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
POST : https://login.microsoftonline.com/%7Btenant-id%7D/oauth2/v2.0/token
Body:
client_id : my client id
scope :https://graph.microsoft.com/.default
client_secret : my client secret
grant_type : client_credentials
Header:
Content-Type : x-www-form-urlencoded
The response return me a token that is apparently not recognized by the first request...
I've tried several scopes such as : /.default, user.read openid profile offline_access, https://graph.microsoft.com/.default...
Even if they are all returning me a token, none of them seems to work.
I've also added the right to WindowsDefenderATP > Vulnerability.read, from the azure portal.
Is the problem the scope? What scope should I use if I have a client credential grant type?
You can follow this page in documentation.
You need an application permission since you are making the request with only application credentials.
In this case I think you need the Vulnerability.Read.All permission.
Don't forget to grant admin consent after adding the required permission.
Here is the scope you should use:
https://api.securitycenter.microsoft.com/.default
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
When using the MSAL library to generate access token for a background console application, using client_credentials, to call two REST endpoints, the get token call is created as:
client_id=XXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default+api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials
and posted to
https://login.microsoftonline.com/a1326aec-378e-4433-8e2a-67a086554fc8/oauth2/v2.0/token
The response is a 400 error:
{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://MyService-DevBlr-ClientServices/.default api://MyService-DevBlr-CoreServices/.default is not valid.\r\nTrace ID: 203ad632-5e7c-4e61-9dcd-185eb9b49200\r\nCorrelation ID: 99fd979a-2c11-485b-ba14-c0cad3312e02\r\nTimestamp: 2020-01-11 08:36:29Z","error_codes":[70011],"timestamp":"2020-01-11 08:36:29Z","trace_id":"203ad632-5e7c-4e61-9dcd-185eb9b49200","correlation_id":"99fd979a-2c11-485b-ba14-c0cad3312e02"}
When individual scopes are passed in, the call works ok:
Request:
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0e..."}
and
Request:
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default&grant_type=client_credentials
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX..."}
The documentation and the API supports scopes array:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows#code-snippet
There is benefit in getting a single token to be used with multiple service calls, but I can't seem to get this working. Any suggestion is appreciated.
When you acquire an access token, you can only specify scopes for one API.
It seems to me you are trying to acquire a token with permissions to 2 APIs.
This is not possible.
An access token always only contains permissions to one API.
So you must request them separately.
This is due to a token having an audience (aud) claim that identifies the API it is meant for.
It cannot have two values.
I am trying to get a Bearer token for my registered Azure AD-App to read all my sharepoint sites via API
I followed the guides from microsoft to a) grant permissions for the app and b get myself a token
so I now a) have all required permissions:
and b) received a token when using the scope https://graph.microsoft.com/.default
So here is my issue: when I try to get a token for lets say https://microsoft.sharepoint-df.com/Sites.Read.All:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
Body:x-www-form-urlencoded
client_id={appId}
scope=https://microsoft.sharepoint-df.com/Sites.Read.All
client_secret={secret},
grant_type=client_credentials
all I get in return is an error:
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://microsoft.sharepoint-df.com/Sites.ReadWrite.All is not valid.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: 2019-06-09 07:35:21Z",
"error_codes": [
70011
],
Am I doing something wrong? I also tried the scope https://{{tenantName}}.sharepoint.com/Sites.Read.All
You are using client credentials flow to get the access token. The scope must be
https://graph.microsoft.com/.default
The value passed for the scope parameter in this request should be the
resource identifier (application ID URI) of the resource you want,
affixed with the .default suffix. For the Microsoft Graph example, the
value is https://graph.microsoft.com/.default. This value tells the
Microsoft identity platform endpoint that of all the direct
application permissions you have configured for your app, the endpoint
should issue a token for the ones associated with the resource you
want to use.
If you must use the specific scope like https://microsoft.sharepoint-df.com/Sites.Read.All You can use auth code grant flow to get the access token.
I'm trying to get the users basic profile from Azure AD. I have a React Native app authenticating against a Native Azure AD App registration. The access_token I got from that request is used to authenticate against a Web app / Api. The user is shown the propper consent screen with the permissions I set in Azure AD.
Microsoft Graph API
Read all users' basic profiles
Sign in and read user profile
Windows Azure Active Directory
Read all users' basic profiles
Sign in and read user profile
(added both Graph API & AAD because I didn't know which one to use)
When I try and get the users profile through https://graph.microsoft.com/v1.0/users/me, with the access_token gotten from the previous request I get:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "00cdb708-bcf8-4b33-af21-14a046b16533",
"date": "2018-09-02T18:28:59"
}
}
}
The resource in my initial authentication request is the Web App / API's app id, and I don't think having 2 resources is an option (?).
What am I doing wrong, and what should I do to fix it? Thanks.
According to your descriptions, I assume you want to get the users profile, but get the error shows an invalid token.
Based on my test, the request URL that you posted is not correct.
It should be 'https://graph.microsoft.com/v1.0/me' or 'https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}'.
We can trouble shoot your problems as follows.
First, check request, if it has correct 'Authorization' field. This document shows that we need the Authorization field in the request headers.
Second, if you have added the Authorization field in the request headers, could you provide the main code that we can identify if problem is from there ?
While getting the access token add "resource" : "https://graph.microsoft.com/" and use that access token in header with Bearer than hit the url ---> https://graph.microsoft.com/me?api-version=1.6
Don't forget to add the resource while getting access token
Thank me later :P