I check the token from the received user in jwt.io - https://i.imgur.com/S5BzmbS.png
From account in organizational directory - https://i.imgur.com/yGq2RM7.png
Permissions app in AD - https://i.imgur.com/oMlqlqx.png
User get token by this instructions - https://github.com/OfficeDev/msteams-tabs-sso-sample-nodejs
The main problem is that apparently because of the token, when sending a request /me/drive/root/children, the private user receives an empty value.
Modify var scopes = ["https://graph.microsoft.com/User.Read"]; to var scopes = ["https://graph.microsoft.com/.default"]; in this line.
Then the access token will include all the granted Microsoft Graph permissions.
We have tried extending the session token time of an openid application on-boarded in Azure AD by configuring Sign-in frequency in Azure AD Condition Access Policy as suggested in the below MS document -
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
But it doesn't prompt for re-authentication after the configured sign-in frequency time period expires.
We have on-boarded ClickHelp app & set the sign-in frequency for 1 hour.
Need help with the configuration in Azure AD to extend the oAuth app session token time by 8hrs (application session should get expire after 8hrs & prompt to re-authenticate with Azure AD)
Also, wanted to know if conditional access policy only works with Microsoft apps?
Because when I configured policy for all cloud apps with sign-in-frequency set to 1hr, and hit the URL "https://endpoint.microsoft.com" in browser. I received the following error message on refreshing the URL after 1 hr -
Conditional access policy failure
{
"sessionId": "1026a56be9a04d77xxxxxx",
"missingClaims": "{"access_token":{"capolids":{"essential":true,"values":["83b40f65-1d01-45cc-xxxx-xxxxxxxx"]}}}",
"resourceName": "graph",
"errorMessage": "AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2020-09-15T11:26:21.5620000Z and the maximum allowed lifetime for this request is 3600.\r\nTrace ID: 2933c79c-e69b-xxxx-xxxx-xxxxxxxxx\r\nCorrelation ID: aab286b8-ea79-xxxx-xxxx-xxxxxxxxx\r\nTimestamp: 2020-09-15 12:50:22Z"
}
I am using https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal and can go thru the interactive login flow fully, but I never get the tokens properly back. When I do a Run Flow on the policy in AD B2C portal I get the tokens back when I redirect to jwt.ms.
I have enabled the verbose and pii logging as well. The authority url is resolving properly.
I have enabled both Access token and ID Token for the implicit flow in the azure portal as well. I have tried passing in a blank array of scopes as well as 'openid'/etc and that tells me that those are reserved and not to pass in.
If I had the token, I plan to hit azure functions (not graph like in the sample).
Any help would be greatly appreciated as I have spent a lot of time researching this. I saw on a stackoverflow thread that "msal" was incorrect in the documentation and to update to msauth.clientid://auth, which I have also tried to no avail.
I am logging in as a local account that was previously created.
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Requiring default broker type due to app being built with iOS 13 SDK
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] -[MSALPublicClientApplication acquireTokenWithParameters:(
)
extraScopesToConsent:(null)
account:(null)
loginHint:(null)
promptType:MSALPromptTypeSelectAccount
extraQueryParameters:(null)
authority:<MSALB2CAuthority: 0x600000b100e0>
webviewType:MSALWebviewTypeSafariViewController
customWebview:No
correlationId:(null)
capabilities:(null)
claimsRequest:(null)]
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Beginning interactive flow.
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolving authority: https://......b2clogin.com/tfp/......onmicrosoft.com/B2C_1_tes_sign_up_and_sign_in, upn: (null)
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolved authority, validated: NO, error: 0
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Start background app task with type 0
Received callback!
Received callback!
Received callback!
Received callback!
Received callback!
msauth.com.microsoft.identity.client.sample.msaliosb2c://auth/?state=REJEQTM3MDAtMUNGMC00MEVGLTkwRTMtRUU0NDUxOTIxNjgy&client_info=eyJ1aWQiOiI5MmMyMWFmZS04MmRmLTQyZmQtOGQxZC1kOTM5MzIxNzJiZjgtYjJjXzFfdGVzX3NpZ25fdXBfYW5kX3NpZ25faW4iLCJ1dGlkIjoiYzc5OTBkMTAtN2RkMy00Y2MxLTg0NDAtYmFlNjM3NmYzZjdkIn0&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..utC9PGZsSCucrxsi.YX7_K2EsSN0FC7xmbBuiih9kpX_kiiAfk18ttdcf1fgzbJdpxtlKE45LDow49h-CTu4BeNLCGeUD4ZPPUqEs6zrahnRppXbxpkEZFejllpumfjaCI6Au0BUWjRWX_ChHSTPY2d2C6X0rNpWSp9mvRDKwQlR-4f-jBzqpHGwGJhSTI2eO4dXE1P_wJJ0tAE5BVARbnb5bEPY6RMCpcXHDakGhcaQzBqXsmGIKuZASWOKGKgB-k-aXj2wB-DuprEIK168Gmvy41IO20C9kGtYpezcFtbEeH-yp53nu-2pdw8dxV3IVpECyQzYw3mVL0_wb0LsMN4dHonHqnXcjdghxSv1X75Haz_HRyisZTZ0bCHEx-4IN8mkEokIvJG54zM5DY36ZgIbJEUGhmx_dJinphRqjD13utQAhVyrHjA1_oGnPVZ_RJJh2pL_MRPaaWrj3kbcpudxjvPwdA9OIur6t71BIVA-uAbnMn-J6ORlbuPhQT4p-6XDC1h068huqjKgCEWADoIFzH7Hd8gOHjrc-Nc0EXY33ln_NXz9pYLtde-WhTC4O_gmE36Hw4p_4cD0_FfyWb57sfb_5GUllhkZKJWVfxa2V7WD28whVlEn0ksbkMbedBsuhcX0.di8cR8t0DcTKLlPvfJrLZQ
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] Stop background task with type 0
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] No cached preferred_network for authority
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Sending network request: (not-null), headers: (not-null)
%# TID=31634 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] session:didReceiveChallenge:completionHandler - nsurlauthenticationmethodservertrust. Host: ........b2clogin.com. Previous challenge failure count: 0
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Received network response: (not-null), error (null)
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Parsed response: (not-null), error (null), error domain: (null), error code: 0
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] Unsuccessful token response, error Error Domain=MSIDErrorDomain Code=-51100 "(null)" UserInfo={MSIDCorrelationIdKey=FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0, MSIDErrorDescriptionKey=Authentication response received without expected accessToken}
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Interactive flow finished result (null), error: -51100 error domain: MSIDErrorDomain
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] acquireToken returning with error: (MSALErrorDomain, -50000) Authentication response received without expected accessToken
The resolution to this issue is one that I want to post for others as it could really use some improvement in the documentation or error codes. I don't think it only applies to Azure Function apis.
In the azure b2c portal, if you run the signin flow, your browser will show scope of openid (might have had profile as well). So, you would think that when using MSAL, you would pass this as a scope as well. If you do, you get an error message stating that openid and profile are reserved scopes that MSAL manages and to not pass them in.
You would think that is great, it is handled for you, and is not causing an issue where you are not getting your tokens and to move on and look for other issues... whereby leaving the scopes as a blank array. You may not even need a special scope or permission in your api to restrict users.
However, it ended up that if you go to "expose an api" in the azure b2c tenant area, it will state that you must create at least one custom scope and at least one permission and that you must request at least one custom scope. Also, you must set an App ID URI. Create a custom scope, pass it in thru MSAL, and you get your token.
So you don't need a custom scope or have specified an App ID Uri when running the flow from azure portal, but you do if you are using MSAL. There must be a reason for this but it doesn't really make sense to me at the moment.
Hope this helps someone.
You could get both Access token and ID Token with implicit flow. If you get id_token but not access_token, check response_type to contain token, not just id_token.
Note: make sure add the scope format like this: https://YOUR_TENANT.onmicrosoft.com/api/user_impersonation
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=id_token+token
&redirect_uri=xxxxx
&response_mode=fragment
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fxxxx%2Fuser_impersonation
&state=123456
&nonce=12345
The answer did help me get on the right path, but the problem was a bit different.
I used the following scopes:
https://tenantname.onmicrosoft.com/APINAME/write
https://tenantname.onmicrosoft.com/APINAME/read
I implemented this in the following way:
kScopes =
["https://tenantname.onmicrosoft.com/(String(describing:
kAPI))/write", "https://tenantname.onmicrosoft.com/(String(describing:
kAPI))/read"]
This did not work because it made the following string "https://tenantname.onmicrosoft.com("APINAME")/read".
stackoverflow removes a couple of \ in between there but you get the point.
Using adal-angular 1.0.17 and a single-tenant app registration (note: calling this app 1) in Azure that should delegate user rights to another Azure app (note: calling this app 2) but the jwt token is issued with any scope resulting in:
AADSTS50105: The signed in user ---- is not assigned to a role for the application '<another Azure app>'
The Azure Api permission on app 1 have a permission == "user_impersonation" against app 2 which should allow access to app 2 on behalf of the signed-in user by app 1. Looking at the scopes defined by app 2 in the portal the user_impersonation scope is defined consenting Admins and users (enabled).
Tried using the extraQueryParameter setting in the adal configuration:
{
....
extraQueryParameter: 'scope=user_impersonation'
}
But the user still is deemed unassigned. Other users that have explicitly been assigned to both app 1 and app 2 successfully proceed through the authorization.
Looking for tips or any better way to debug.
I have a background JS app that wont have any user input, so i was looking at using the app authentication without user input. I have set up an app in the Azure AD portal and also apps.dev.microsoft.com.
I am using the following endpoint:
login.microsoftonline.com/{Tenant}/oauth2/token
With the following body:
client_id: application_id
client_secret: generated key
grant_type: client_credentials
scope: "https://graph.microsoft.com/.default"
This generates an access_token however when i try and use it using the graph API, I get the following error
Access token validation failure
When investigating the token compared to a normal OAuth token with user input, i noticed its passing in roles rather then scp and the audience is my application rather then graph.microsoft.com.
What am i doing wrong?
The app registered in Azure AD portal works with Azure AD V1.0 endpoint ,app registered in apps.dev.microsoft.com that works with the v2.0 endpoint , Please firstly refer to this document for what's different about the v2.0 endpoint .
To use Azure AD v2.0 to access secure resources without user interaction(client credential flow) , you should send a POST request to the /token v2.0 endpoint:
POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=qWgdYAmab0YSkuL1qKv5bPX&grant_type=client_credentials
You could refer to this document for how to use the OAuth 2.0 client credentials grant with Azure AD V2.0 endpoint .
If you want to use azure ad v1.0 (app registered in azure portal) with client credential flow, you could refer to this document . In azure ad v1.0 , you should indicate the resource parameter which the client app is requesting authorization for , in your scenario , the resource should be https://graph.microsoft.com/ if you want to acquire token to call microsoft graph api .