I am trying to get a Bearer token for my registered Azure AD-App to read all my sharepoint sites via API
I followed the guides from microsoft to a) grant permissions for the app and b get myself a token
so I now a) have all required permissions:
and b) received a token when using the scope https://graph.microsoft.com/.default
So here is my issue: when I try to get a token for lets say https://microsoft.sharepoint-df.com/Sites.Read.All:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
Body:x-www-form-urlencoded
client_id={appId}
scope=https://microsoft.sharepoint-df.com/Sites.Read.All
client_secret={secret},
grant_type=client_credentials
all I get in return is an error:
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://microsoft.sharepoint-df.com/Sites.ReadWrite.All is not valid.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: 2019-06-09 07:35:21Z",
"error_codes": [
70011
],
Am I doing something wrong? I also tried the scope https://{{tenantName}}.sharepoint.com/Sites.Read.All
You are using client credentials flow to get the access token. The scope must be
https://graph.microsoft.com/.default
The value passed for the scope parameter in this request should be the
resource identifier (application ID URI) of the resource you want,
affixed with the .default suffix. For the Microsoft Graph example, the
value is https://graph.microsoft.com/.default. This value tells the
Microsoft identity platform endpoint that of all the direct
application permissions you have configured for your app, the endpoint
should issue a token for the ones associated with the resource you
want to use.
If you must use the specific scope like https://microsoft.sharepoint-df.com/Sites.Read.All You can use auth code grant flow to get the access token.
Related
I have added scope to "Expose an API" on the Azure portal with the reference of Microsoft document and granted API permission to that scope. After that I request a token using postman it returns an error AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.
When I try scope like this {resource}/.default works fine. But, I need scope like {resource}/access_as_user
I have already tried this link, but it did not work.
You have used the wrong authentication flow, and you have granted delegated permissions. In this case, you should use the auth code flow.
Then you can set the scope to: api://{resource}/access_as_user.
Add:
This is my test process:
First obtain the authorization code in the browser:
https://login.microsoftonline.com/xxxxxxxx-bd27-40d5-8459-230ba2a757fb/oauth2/v2.0/authorize?
client_id=5f11e827-xxxx-4f1f-aa05-33a33f806aab
&response_type=code
&redirect_uri=https://jwt.ms/index
&response_mode=query
&scope=api://c848e37d-xxxx-4cd8-b9bf-0b2aa6927a82/access_as_user
&state=12345
Use the authorization code to redeem the access token:
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
I have a .net core API which deploy on the azure app service,it is register as a azure ad application.
I also add a API scope in expose an API,which is
https://domain.name/Resource.GetStatus
I also register another application and give the delegate API permission.
Now I want to request a access token with scope in it in postman,but when I put the value to the scope
such error will happen
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://aa-cdapublic-dev.azurewebsites.net/Resource.GetStatus is not valid.\r\nTrace ID: 8256ed8d-65e8-4ad4-865b-0a6fbf473500\r\nCorrelation ID: 65cef3a9-8aa1-4103-8c91-ac2007e27bc0\r\nTimestamp: 2020-04-21 03:47:52Z",
"error_codes": [
70011
],
"timestamp": "2020-04-21 03:47:52Z",
"trace_id": "8256ed8d-65e8-4ad4-865b-0a6fbf473500",
"correlation_id": "65cef3a9-8aa1-4103-8c91-ac2007e27bc0"
}
my postman request as belows:
method :post
URl:https://login.microsoftonline.com/devglobal.onmicrosoft.com/oauth2/v2.0/token
grant_type:client_credentials
clientid:******
clientsecret:******
scope:https://domain.name/Resource.GetStatus
I haven't try it in a SPA page with implicit flow yet,first of all I want to check it whether my settings is correct or not
If you use client_credentials as "grant_type", you need to set https://domain.name/.default instead of https://domain.name/Resource.GetStatus as scope (otherwise it will show the error message as you mentioned in question). By the way, if you use client_credentials, you can't get the delegate permission. So you should use "implicit flow". I test it in my side with "implicit flow", it can get Resource.GetStatus from the access token success.
Update:
decode the access token:
I have a backend process that doesn't directly interact with the user. I want to access reservations associated with my Azure account but I'm having trouble with the authentication step. I was following the guide here and I managed to get the authentication request to work by calling
https://login.microsoftonline.com/{tenant-ID}/oauth2/token
as a POST with the following x-www-form-urlencoded body:
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=http://myapp42
However, when I attempt to call:
https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
with the bearer token I received during the authentication step, I get the following error message:
The access token has been obtained for wrong audience or resource 'http://myapp42'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/', 'https://management.core.windows.net', 'https://management.azure.com/', 'https://management.azure.com'
However, if I modify the resource on the request to be one of these, http://management.core.windows.net/ for instance, the authentication then fails with:
AADSTS500011: The resource principal named https%3A%2F%2Fmanagement.core.windows.net%2F was not found in the tenant named {tenant-ID}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b54cedea-3804-41cf-bd27-fcf0ed1c4700\r\nCorrelation ID: 2371d375-6c89-4f05-83c9-c4629b3340a8\r\nTimestamp: 2020-02-05 01:59:57Z
How do I authenticate so that I can then get my reservations without having to login?
Update:
The service principal has both the Owner and Contributor roles assigned.
Update 2:
Thanks to #Jim Xu, I was realized that I needed to refrain from url-encoding the URL. That allowed me to get the access token with a value of https://management.azure.com/ for the resource field. However, at this point, when I attempt to call the REST API with the resulting bearer token, I get the following error:
The client '{Object-ID}' with object id '{Object-ID}' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/reservations/read' over scope '/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}' or the scope is invalid. If access was recently granted, please refresh your credentials
Note: The object ID returned by this error is the one associated with the service principal.
Update 3:
I checked the reservation and it seems that the principal does not have a role in that reservation's access control. However, I also cannot assign the principal a role because it does not show when I search for principals during the role-assigning process.
If you want to call Azure Rest API to get the information of reservation Orders, you need to assign Owner\Contributor for the service principal.(the action needs Microsoft.Capacity/reservationOrders/read permission).
The steps are as below
Get access token
POST : https://login.microsoftonline.com/{tenant-ID}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=https://management.azure.com/ or https://management.core.windows.net
Call the api
GET : https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
Authorization: Bearer <token>
For more details, please refer to the issue and the issue
update
If you have assigned role but you still cannot get access token, please try to encode your url.
When using the MSAL library to generate access token for a background console application, using client_credentials, to call two REST endpoints, the get token call is created as:
client_id=XXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default+api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials
and posted to
https://login.microsoftonline.com/a1326aec-378e-4433-8e2a-67a086554fc8/oauth2/v2.0/token
The response is a 400 error:
{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://MyService-DevBlr-ClientServices/.default api://MyService-DevBlr-CoreServices/.default is not valid.\r\nTrace ID: 203ad632-5e7c-4e61-9dcd-185eb9b49200\r\nCorrelation ID: 99fd979a-2c11-485b-ba14-c0cad3312e02\r\nTimestamp: 2020-01-11 08:36:29Z","error_codes":[70011],"timestamp":"2020-01-11 08:36:29Z","trace_id":"203ad632-5e7c-4e61-9dcd-185eb9b49200","correlation_id":"99fd979a-2c11-485b-ba14-c0cad3312e02"}
When individual scopes are passed in, the call works ok:
Request:
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0e..."}
and
Request:
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default&grant_type=client_credentials
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX..."}
The documentation and the API supports scopes array:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows#code-snippet
There is benefit in getting a single token to be used with multiple service calls, but I can't seem to get this working. Any suggestion is appreciated.
When you acquire an access token, you can only specify scopes for one API.
It seems to me you are trying to acquire a token with permissions to 2 APIs.
This is not possible.
An access token always only contains permissions to one API.
So you must request them separately.
This is due to a token having an audience (aud) claim that identifies the API it is meant for.
It cannot have two values.