Hi I have created application in azure AD. I am trying to get token from Postman.
I am getting below error. Could not complete OAuth 2.0 Login.
Below is my request.
My auth url is
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
In the above url, In place of organizations do i need to put my company name? Also do i need to add resource to the url? Can someone help me to try to find out error? any help would be appreciated. Thanks
In the above url, In place of organizations do i need to put my
company name?
It depends on your requirements, if you just want your tenant(company) user to login(Single tenant), use tenant name/id here, if you want both your tenant and other tenants to login, you can use common/organizations here(Multitenant).
Also do i need to add resource to the url?
No, you need a scope value instead of resource. This is what you want the user to consent to.
Could not complete OAuth 2.0 Login in postman
1.Register an application in Azure portal
2.The parameters in postman.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
I am using Authorization Code flow to get the access token, you can also use Client Credentials flow. Refer to my answer here.
Related
Business Requirement:
We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage).
According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&userName=MyCorporateMail#org.com&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password.
I don't know why it cannot get token response with my corporate(work) mail/account **#sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user sapse#wardsap.onmicrosoft.com which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message.
If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards,
Ward
MFA will definitely prevent you from using this authentication flow.
The Resource Owner Password Credentials flow and its use are discouraged.
There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that.
But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token.
If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token.
If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.
I've been searching for a couple days, and I can't seem to find a straightforward guide on how to set up Authorization (AuthZ) between an AAD App and my AAD Web API set up in App Service. I've tried things like this official guide, but I can't seem to get calls with a Bearer token from the client app to work.
Has anyone done this successfully? Is there a step by step guide out there that could help?
Please let me know if there are any questions!
To implement your requirements, you need to expose an api in your AAD Web API first.
Then go to your AAD App which used to request the token, add the permission to it.
Click "Grant admin consent for *" button.
After that, we can request the access token successfully (below I provide a sample use password flow for your reference)
In your Web API app, you need to parse the access token and get the scope permission from the access token. And then determine whether the request has permission.
Knack has an option to set up custom Single Sign On options. There are a few items I am unclear on as to where to find on Azure AD B2C. According to their help article, I must provide the following information for OAuth 2.0:
Authorization URL: the URL that your user is redirected to obtain permissions when they click the SSO button.
Access Token URL: used to obtain a token to verify future requests to the authentication provider to act on your user’s behalf.
Profile URL (OAuth only) - the URL where information about a user’s account can be retrieved. The Profile URL will be sent a GET request authenticated by the user’s token, and will be expected to return a JSON object.
For Authorization URL, I have tried to supply the 'Sign-up or Sign-in' Policy endpoint as that takes you to the login page. I think this is right however I am unsure.
For Access Token URL, I have tried either the Authorization Endpoint or Token Endpoint, but I'm not sure if those are right.
"authorization_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_zyxelcustomerssusi"
"token_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_zyxelcustomerssusi"
For Profile URL, I actually have no idea where I would find this on Azure AD B2C.
Single Sign On is new to me and I have gone through Azure AD documentation to try to help myself, but ultimately I am stuck.
Thanks in advance for your help and please let me know what other information I can provide.
Edit 9/26/2017:
This B2C documentation describes the purpose of Authorization URL and Access Token URL.
In short, Authorization URL is the endpoint to send the user to enter their credentials. If credentials are valid, an authorization code will be returned via URL to the designated Reply URL. The client app will then use the returned authorization code to request for an access token from the Access Token URL. If successful, the client can now attach the access token as a Bearer token in the Authorization header to authorize future API calls before the token expires.
Unfortunately, as of this time of writing, AADB2C does not support calling the Azure AD Graph or Microsoft Graph API for user profile information.
You should not need to provide a Profile URL since Azure AD B2C uses Open ID Connect, and not OAuth (similar protocols, but not identical). The Profile URL field is optional, so try configuring it without filling out the field.
I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.
I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.
Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?
The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.
Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!
You can set the resource ID as a parameter to the Auth URL.
Auth URL: https://_______________?resource=https://_________
I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....
I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...
This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.
Adapted from this post
set up a dedicated 'postman-test' app registration in AD tenant,
with permission to access your target API. Ensure it has the postman callback url previously mentioned.
fill in Postman's OAuth helper form with following details:
Token Name – Any name to save the token.
Auth Url – https://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
Access Token Url – https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID – Client Id from configure tab of “postman-test” app.
Client Secret – Client secret copied from configure tab of “postman-test” app.
Grant Type – Authorization Code
Note:
tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.
testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping
I am trying to understand how Azure Active Directory Graph API works for adding users to the directory. According to this:
http://msdn.microsoft.com/en-us/library/azure/dn130117.aspx
I need to acces the graph API URL and pass in something called a "bearer token" in the "Authorization" header so that it will allow me to add the user specified in the request's body. However, I have no idea where I can get one of these tokens. All my research points to the user having to be already authenticated to get a token, which kind of beats the point, since I want to add the user so he can authenticate.
I have configured my app in the Azure Management Portal, and thought the bearer token was the "Client ID" that I get when I go to my added applications in the Directory. But when I pass this number to the Graph API, I get "Access Token Missing or malformed". I am testing this using the Fiddler Web Debugger app.
These 2 posts describe very thoroughly the steps to get the required token in 2 different scenarios:
Authorization Code Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
Client Credentials Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If you want to use the Client Id and Client Key to authenticate your client to Azure Active Directory, then you should read the 2nd article. The first one is to authenticate an already existing user.
If you want to programmatically get the OAuth2 token, then you could use the AAD authentication libraries: http://msdn.microsoft.com/en-us/library/azure/dn151135.aspx