While trying to consume the odata service from s/4 cloud system using oAuth I get the following error:
"DestinationAccessException: Failed to get authentication headers. Destination service returned error: Requested OAuth 2.0 scope exceeds the scope granted by the resource owner or OAuth 2.0 client"
The odata service is oAuth enabled"
The oAuth scope of the service is specified in the destination confiured on cf as well.
Please let me know if any further details are required.
This error is actually not caused by the SAP Cloud SDK itself, but rather by a wrong/lacking configuration on the SAP S/4HANA side.
The error message Requested OAuth 2.0 scope exceeds the scope granted by the resource owner or OAuth 2.0 client indicates that the business user lacks the authorization object S_SCOPE for the requested OData API.
I recommend to consult the SECTRACE kernel trace to obtain more concrete information.
Related
I have had been struggling to make my Azure Active Directory Oauth 2.0 Client Credentials Flow work with API Management. but I get authenticated via postman too. But in return I do not get any access token just a bunch of HTML. How can I fix this? The settings of the applications are exactly as per the documents including the validation of JWT Policy.
Basically I want my client apps to connect with my azure API's using Oauth 2.o without any consent using provided client id/secret. I'm trying to set this up for now with ECHO API provided out of the box with API Management console.
thanks
Postman Access token Error Screen
To use application permissions with your own API (as opposed to Microsoft Graph), you must first expose the API by defining scopes in the API's app registration in the Azure portal. Then, configure access to the API by selecting those permissions in your client application's app registration. If you haven't exposed any scopes in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.
For an example, if I sent scope parameter with custom name like https://testwebapp.in/.default without configuring same as application ID URI in Azure AD then is an expected behavior and you will get error AADSTS500011.
scope parameter in the request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#application-permissions
I am trying to create an online meeting with a web application using the Microsoft Graph API.
When I try to initiate an authorization request to get permissions from the end-user to create a token with a similar URL to:
https://login.live.com/oauth20_authorize.srf?state=xxx&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&client_id=xxx
I get the following error message from the Microsoft API:
The client does not have a secret configured. If you are the client
application developer, configure a secret through the application
management site at https://go.microsoft.com/fwlink/?linkid=2083908.
I have a secret configured for the application in the "Certificates & secrets" part under the "Client secrets":
I have no clue what I am missing here and the Microsoft documentation is not really helpful.
The solution was to change the authorize and token endpoint to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize and to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token respectively as it is described here.
In my case - since I want to support multiple tenants - I could not fill out the {tenant} part of the URL with the actual tenant id, but I needed to set organizations since as it is described here only work or school accounts are supported.
So the final URLs changed to the following:
Authorize: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token: https://login.microsoftonline.com/organizations/oauth2/v2.0/token
I created a new app service and set accessTokenAcceptedVersion to 2 in manifest.json as I am looking for a v2 token similar to here. However the accessToken generated by Microsoft always has an iss value of sts.windows.net when decoded. I would like it to be login.microsoftonline.com. Please advice.
This is my implementation:
This is my token when decoded:
Please advice.
Please see this part (just in the link you shared):
Resources always own their tokens (those with their aud claim) and are
the only applications that can change their token details. This is why
changing the access token optional claims for your client does not
change the access token received when a token is requested for
user.read, which is owned by the Microsoft Graph resource.
It means that the accessTokenAcceptedVersion setting should be configured in the service-side app registration rather than client-side app registration.
For an Microsoft Graph token, we are unable to configure it in the service side because the Microsoft Graph app registration is officially managed by Microsoft.
Configuring accessTokenAcceptedVersion in your client-side won't change the token version to 2. It is expected.
This feature is mainly used when you call you own AAD protected web API, rather than Microsoft official API.
UPDATE:
If you want to call you own API, you should create the service-side app registration by Protected web API: App registration and set accessTokenAcceptedVersion in it.
Here is the complete document for Scenario: A web app that calls web APIs.
I have created a Azure AD Mobile and desktop applications. Now I am getting my access_token using following API,
POST https://login.microsoftonline.com/{Directory (tenant) ID
}/oauth2/token
password:pass
client_id:id
resource:https://graph.microsoft.com
grant_type:password
client_secret:secret
username:userName
scope: openid
The response looks like,
"access_token": "acessToken",
"refresh_token": "refereshToken",
"id_token": "id_token".
Now I am passing the access_token to a third party application which is configured with same Azure AD client. When that third party application tries to validate the signature, the operation fails.
Then got to know its because of nonce which is available for only microsoft graph APIs. Now how to remove the same or make my access_token signature verification compliant?
You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.
First, you need to expose the api of the application representing the web api, you can configure it according to the following process:
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)
This is the process of defining the manifest.
This is to grant permissions for the client application:
Finally, you can request a token for your api application (note that the resource parameter is no longer the Microsoft Graph API, it is the client ID of your API application and your custom role permissions in the manifest).
Update:
For application permissions only, ROPC flow is generally not recommended. It is recommended that you use the client credential flow based on the v2.0 endpoint. When using v2.0 endpoints, resources will no longer be used as parameters, but scope will be used as parameters, but their functions are the same. (Please note that the scope parameter is like this:api://a13b414b-93b3-4aae-bb-xxxxxxxxx/.default).
Parse the token and you will see the customized app Roles.
I'm trying to access the SharePoint [Online] REST API from an external application. I've registered it in Azure under an admin account and assigned it the appropriate user-delegated permissions (Office 365 SharePoint Online).
I use ADAL.js to make a call to acquireToken and use that token in my Authorization header. A valid-looking token is getting attached, but I'm getting the following 401 error in the response:
Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown
The acquireToken() method does take a resource param, and from what I've read online, this value for the SharePoint API should be https://[tenant].sharepoint.com, but that only returns a null bearer token.
What I do instead (which triggers the previous 401 error) is to simply set the resource to the app ID generated in Azure. That ends up getting set as a token in my localStorage cache. So that bearer token does return, but I get the exception.
Two questions:
What is the resource string, and what is the proper value to call on acquireToken(), seeing that calling it with my app ID (same thing I'm using as the client ID in my ADAL config) is the only value which returns a bearer token successfully? Is there a list of proper resource strings for each Microsoft API? I've been having trouble finding documentation on this topic.
Is the problem with my configuration on Azure?
Thanks!
To use the SharePoint online REST, we can use the discovery service REST to find the SharePoint service endpoint. You can find all the service resource id from the serviceResourceId of response.
You can also consider using the Microsoft Graph which exposes multiple APIs from Office 365 and other Microsoft cloud services through a single endpoint.
More detail about discovery service REST API, you can refer here.