Update Azure keyvault secret through Azure API - azure

I am trying to update keyvault secret in Azure through Postman. But getting Authorization error.
Any suggestions. Anything I am missing. Thanks in advance
{
"error": {
"code": "Unauthorized",
"message": "AKV10022: Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com/."
}
}
Using the below to update the secret:
PUT https://demokv.vault.azure.net/secrets/secretname?api-version=7.0
in Body:
{
"value": "mysecretvalue"
}

As mentioned in another reply, the audience of your token is not correct, to call Azure Keyvault REST API - Set Secret - Set Secret, the audience should be https://vault.azure.net.
To get the token, you could use the client credential flow in the postman.
1.Register an AD App in azure ad, then get values for signing in and create a new application secret.
2.Navigate to the keyvault in the portal, add the service principal of the AD App to the Access policies.
In the postman, follow the screenshot below, fix the properties that got from step 1.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=<client_id>
&scope=https://vault.azure.net/.default
&client_secret=<client_secret>
&grant_type=client_credentials
Then copy the token to call the REST API to set secret, it will work fine.

Also, you can get the token with az account get-access-token --resource "https://vault.azure.net"
To specificity vault resource

My challenge was using the older version of the oauth API.
Ensure that you're using:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
And not:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/token

You acquired the access token (Bearer) for the wrong audience,
AKV10022: Invalid audience.
Expected https://vault.azure.net,
Found: https://management.azure.com/.
Acquire a new one for the correct audience and give it another go.

Related

Why kid is missing in Azure DevOps System.AccessToken?

System.AccessToken is can be used as a means of authenticating requests to the Azure DevOps REST APIs from within a pipeline
https://learn.microsoft.com/fr-fr/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml
In the header of this Access Token, the kid attribute is missing.
{
"typ": "JWT",
"alg": "RS256",
"x5t": "oOvcz5M_7p-HjIKlFXz93u_V0Zo"
}
Is there anyway to have in the Azure DevOps Access Token the kid field ?
To get kid field in Azure DevOps access token, you can generate OAuth token using Azure AD to call DevOps REST API.
I tried to reproduce the same in my environment via Postman and got below results:
I registered one Azure AD application and added Azure DevOps permissions like below:
Make sure to grant admin consent to the permissions like below:
Now, I generated access token using client credentials flow via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id: <appID>
grant_type:client_credentials
scope: https://app.vssps.visualstudio.com/.default
client_secret: <secret>
Response:
When I decoded the above access token in jwt.ms, I got kid field successfully like below:

Microsoft Azure OAuth Client Credentials Token gets "AuthorizationFailed" response

I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs

Azure to Auth0 connection - Invalid client secret is provided

I'm using Azure AD as my Identity Provider (IdP) and trying to connect Auth0 to it as a client. I've followed all the steps mentioned in
https://auth0.com/docs/connections/enterprise/azure-active-directory/v2
Redirection from Auth0 to Azure AD is working as expected. Login on Azure AD side is also showing a success in its log, however I'm getting and error at Auth0 side which says,
"Invalid client secret is provided"
I've double checked the client secret. Freshly generated it to eliminate possiblity of its expiry but still gettting this error.
Below is an error message payload.
"error": {
"message": "failed to obtain access token",
"oauthError": "invalid_request",
"type": "request-error",
"payload": "{
"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.
Trace ID: 52ea6301-3da2-46c7-b355-865dfff34c01
Correlation ID: 69415f95-1430-45eb-b653-3c76f934ccc0
Timestamp: 2021-11-29 05:11:57Z",
"error_codes":[7000215],
"timestamp":"2021-11-29 05:11:57Z",
"trace_id":"52ea6301-3da2-46c7-b355-865dfff34c01",
"correlation_id":"69415f95-1430-45eb-b653-3c76f934ccc0",
"error_uri":"https://login.microsoftonline.com/error?code=7000215"}"
},
Make sure you have copied client secret value and not the client secret ID.
Gave wrong value of client secret getting the same error as you.
Would Suggest you try with following parameter as I have set for authorization type OAuth2.0.
URL : https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
Given the correct value of Client Secret and getting the access token.
Also, check that the Azure AD Client secret is not expired. Otherwise, generate a new one, then update it in the enterprise connection configured with Auth0.

usage details api using azure app registration in azure AD

In basic terms, I am trying to get an access token to get Azure Cost Centre Data through the Usage Details API. The problem is that I can't seem to configure my service principal with azure properly. I have:
Created the registered app in Azure Active Directory
added https://www.thunderclient.io/oauth/callback in the redirect URL
generated a client secret
Included the following information in my Generate New Token in Thunder Client:
Request URL:
GET: https://management.azure.com/subscriptions/{subscription-id}/resourceGroupName/{resourceGroupName}/providers/Microsoft.CostManagement/dimensions?api-version=2019-11-01
Grant Type: Authorization Code
Auth Url: https://login.mmicrosoftonline.com/common/oauthorize
Token Url: https://login.microsoft.com/{tenant-id}/oauth2/v2.0/authorize from app registration
callback Url: https://thunderclient.io/oauth/callback
client ID: {{client_id}} from app registration
client secret: {{client_secret}} from app registration
scope: user_impersonation
{
Status 401 Unauthorized
"error": {
"code": "AuthenticationFailed",
"message": Authentication failed."
}
}
Header:
Bearer authorization_uri "https://login.windows.net/{tenant_id}, error= "invalid_token", error description="Could not find identity for access token"
Answering my own question. And big thanks to Guarav Mantri in the comments below.
The Scope should be set to https://management.azure.com/.default
The Grant Type is client credentials and not authorization code
The service principal needs to be added to the resource in azure that is part of the request (i.e. if looking for subscription data, then add the service principal as a reader role to the subscription).

How to use Azure API for FHIR Server without any authorization token

I have created a resource for Azure API for FHIR Server. I am able to get see the metadata information using the URL like https://fhir-server-url/metadata. As mentioned in the documentation https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial to access other URLs like https://fhir-server-url/Patient, we need to get the Authorization token first. To get the authorization token we need ClientID which we can get by creating an application in Azure Active Directory. But I don't have access to it.
Is there any way I could access this URL without requiring the authorization token? By making some setup in Azure Portal.
If you are using the first party audience (e.g. https://azurehealthcareapis), which is the default when deploying the Azure API for FHIR, you can actually use a first party client application such as the Azure CLI to get a token. Check https://learn.microsoft.com/azure/healthcare-apis/get-healthcare-apis-access-token-cli for details.
First log in with the Azure CLI (https://learn.microsoft.com/cli/azure/?view=azure-cli-latest) :
az login
Get a token and store it
token=$(az account get-access-token --resource=https://azurehealthcareapis.com | jq -r .accessToken)
Use the token:
curl -X GET --header "Authorization: Bearer $token" https://<FHIR ACCOUNT NAME>.azurehealthcareapis.com/Patient
It looks like from the FHIR Server Doc you can turn this on or off based on the FhirServer:Security:Enabled config setting see https://github.com/microsoft/fhir-server/blob/master/docs/Authentication.md
"FhirServer" : {
"Security": {
"Enabled": true,
"Authentication": {
"Audience": "fhir-api",
"Authority": "https://localhost:44348"
}
}}
One way is to get your app registration in Azure Active Directory(AAD).
You would need two app registrations in AAD to get client Id & client secret for authorization token retrieval.

Resources