Microsoft Graph API Token Generation From Nodejs Code - node.js

I want to access Microsoft Graph API and for that i am trying to generate Token from Nodejs Code. I am getting Token from nodejs but when i decode this token in jwt.io. i do not see scope parameter. Also when I use this token in accessing Microsoft Graph API it gives error
Authorization_RequestDenied
Code Generation screenshot

The doc https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Clearly say that if
grant_type: "client_credentials" the response would be as follows, it won't have scope variable
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
This is what you are getting, so its working perfectly.
You are looking for scope variable, so you have to follow as
grant_type=authorization_code , the response is
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fuser.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
Here you will get the scope variable, reference is https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
So the the way you are calling is important whether client Credential or authorisation_code
EDIT
You have to call the authorise API as follows:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
&state=12345
Modify your request with the url and params and you will get the response as follows:
GET https://login.microsoftonline.com/common/oauth2/nativeclient?
code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
&state=12345
Here is the code you are looking for. SO after this you have to make the above call for token.

Related

Im implementing Microsoft Azure oauth2 on our web app, but when fetching access token using auth code, we are seeing below error

{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 1740a160-8c95-42da-aa37-562693c30300\r\nCorrelation ID: 918e8299-271d-46a9-9e9b-5893a348f934\r\nTimestamp: 2022-01-24 11:49:44Z",
"error_codes": [
9002313
],
"timestamp": "2022-01-24 11:49:44Z",
"trace_id": "1740a160-8c95-42da-aa37-562693c30300",
"correlation_id": "918e8299-271d-46a9-9e9b-5893a348f934",
"error_uri": "https://login.microsoftonline.com/error?code=9002313"
}
Solution 1:
If you are trying to get get token using OAuth 2.0 code grant flow, then Request access token using authorization code.
https://login.microsoftonline.com/YourTennatId.onmicrosoft.com/oauth2/authorize?client_id=YourClentId&response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback&response_mode=query&scope=offline_access%20user.read%20mail.read
Use the authorization code to request an access token:
Token Request Endpoint: https://login.microsoftonline.com/YourTenantId/oauth2/token
client_id:YourClientId
scope:https://graph.microsoft.com/User.ReadWrite.All
redirect_uri:https://www.getpostman.com/oauth2/callback
grant_type:authorization_code
client_secret:YourAppsSecret
code:Paste Your Code Here
Post Man Format:
Solution 2:
After you app registration in the Azure Portal,
enter this link in the browser to get the code:
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=https://localhost:4500/web/completeoauth/ms
&response_mode=query
&state=12345
and use postman to get the access token like below:

Not getting refresh token and id_token with Azure AD OAuth2.0 ROPC flow using username and password

I am using ROPC Flow with user details and client details to get Access token and refresh token. But I am only getting Access Token and this expires in 1 hour.
My frontend app has sign-in window where we provide AD user creds, this makes a post request and got FE with successful auth.
I have 2 questions:
Getting CORS issue while making user sign-in request using http://localhost:3000 with access-control-allow-origin header error.
I would like to get refresh token for Continues App login OR do I set the lifetime of the access token to a day.
REQUEST:
// Line breaks and spaces are for legibility only. This is a public client, so no secret is required.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.com
&password=SuperS3cret
&grant_type=password
RESPONSE:
{
"token_type": "Bearer",
"scope": "api://94849942785375897059789375379/FIles.Read",
"expires_in": 3598,
"ext_expires_in": 3598,
"access_token": 8YU4bMhafsfhaeoahehviyy8786w89ufo2ofj29h8gMWnB633NLWn7JQ"
}
You need to add offline_access and openid to the scope parameter when requesting the token, try to add them, you will get the id token and refresh token.
Update:
Your application will need a back-end that will fetch the data and return it to the front-end. So try to call the token endpoint from the back-end .

Azure access token generation from Postman

I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message "Authorization denied for this request" while using the generated token in another API request.
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id:As per id generation by azure.
Body# (Form-data)
grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo
Since the above returned token is not accepted, I had passed username and password as well in body of the request but ended up with same results. Also azure did not consider my credentials even they are wrong.
Could you please assist what else I need to send in the response to get valid token id?
The Valid format for client_credentials authentication flow is like below:
Azure Portal Credentials For App Id and Tenant Id:
Application Secret from Portal:
Token Endpoint Or URL:
https://login.microsoftonline.com/YourTenantName.onmicrosoft.com/oauth2/token
Request Param:
grant_type:client_credentials
client_id:b603c7be_Your_App_ID_e6921e61f925
client_secret:Vxf1Sl_Your_App_Secret_2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
PostMan Sample:
Token On Response:
Expose Your Own API:
When You want to authorize your own API you have add it here. So that your token will contain this permission and this API can be accessed. Refer this docs
For more clarity you could refer official docs
You should try adding "X-ZUMO-AUTH" header to your request when using the generated token.
GET https://<appname>.azurewebsites.net/api/products/1
X-ZUMO-AUTH: <authenticationToken_value>
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

What is the expiry time of refresh token issued by Microsoft Azure OAuth2.0?

What is the expiry time of the refresh_token issued by Azure OAuth2.0 using the following link :
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Sample response :
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
This is described in the documentation for v2: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens#token-lifetimes
For Azure AD users, 14 days, personal accounts 1 year.
But of course if you get a new token with the refresh token, you also get a new refresh token there.
But also like the docs say, you must not rely on these. Refresh tokens can become invalid for various reasons, for example if the user's password is reset.

Azure AD returns unusable access_token

I'm trying to get the access token from the Azure AD, which I'm using as an OAuth identity provider.
I successfully received an authorization code from https://login.microsoftonline.com/common/oauth2/authorize endpoint, and trying to get an access_token. The request has following parameters:
https://login.microsoftonline.com/common/oauth2/token, Method=POST
grant_type=authorization_code
&client_id=<GUID>
&code=<CODE RECEIVED ON THE PREVIOUS STEP>
&redirect_uri=<...>
&client_secret=<SECRET>
I'm receiving the following response:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1506527801",
"access_token": "AQABAA...Sc0YMuMr73WQyjzuyAA",
"refresh_token": "AQABAAAAAAABlDrqfEFlSaui6...xin-iAA",
"id_token": "eyJ0eXAiOiJKV1...HjgO0A"
}
When I'm trying to use the access_token, result always 401 error (Unauthorized). id_token looks like a normal JWT token and can be decoded. But access_token and refresh_token are not, looks like they are Base64 encoded values of JWT tokens.
What can cause the 401 error? All requests performed from the same domain. The application is registered with Azure using app.dev.microsoft.portal
The issue was caused by lack of the "resource" property, which I had to set to the App ID of an application I wanted to get access:
https://login.microsoftonline.com/common/oauth2/token, Method=POST
grant_type=authorization_code
&client_id=<GUID>
&code=<CODE RECEIVED ON THE PREVIOUS STEP>
&redirect_uri=<...>
&resource=a1fc97d5-...-fa8763202a29
&client_secret=<SECRET>
After setting the proper permissions in the client app, I got the proper JWT token.

Resources