We are new to O365 Authentication and trying to authenticate the user.
Here i am getting this error while trying to login with, office 365.
Create app in active directory add app id and return urls in app, and this is the document I followed, https://blog.xamarin.com/put-adal-xamarin-forms/
here is the error we are getting,
AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'
Trace ID: e580114e-2dd9-4cc4-b903-6cef743a2900
Correlation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597
Timestamp: 2018-12-05 12:51:23Z
{System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized). ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'\r\nTrace ID: e580114e-2dd9-4cc4-b903-6cef743a2900\r\nCorrelation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597\r\nTimestamp: 2018-12-05 12:51:23Z","error_codes":[70002],"timestamp":"2018-12-05 12:51:23Z","trace_id":"e580114e-2dd9-4cc4-b903-6cef743a2900","correlation_id":"6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597"}: Unknown error
--- End of inner exception stack trace ---}
Ok ,Maybe you have registered your app as a confidential client (web app or web api).
You cannot authenticate with username and password when the app is a confidential client. Only public clients, sometimes known as native clients, can do U/P authentication.
Trying to Change to native client.
Refer to this link to try
Related
I am following the tutorial here: https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/get-started-webhooks
I am having trouble finishing step 5. Postman always gives me this error and I am not sure why.
Troubleshooting details
If you contact your administrator, send this info to them.
Copy info to clipboard
Request Id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Correlation Id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Timestamp: 2022-11-18T09:34:11Z
Message: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(Postman App). Resource value from request: https://<mysite>.sharepoint.com. Resource app ID: 00000003-0000-0ff1-ce00-000000000000. List of valid resources from app registration: fe7b6ec1-3281-4dd6-8864-dff33cd1021e, 00000003-0000-0000-c000-000000000000.
Flag sign-in errors for review: Enable flagging
If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.
00000003-0000-0000-c000-000000000000 is Graph.
fe7b6ec1-3281-4dd6-8864-dff33cd1021e is SharePoint Online Client Extensibility Web Application Principal Helper.
In the error it says the app id (00000003-0000-0ff1-ce00-000000000000) that I am trying to use and then lists the valid resources form my app. I can add another resource to the app and it will be listed there in the error message but I do not know how to add my specific resource to the list. Does anyone know how I can do that or if that is even what I need to be doing?
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Multi-Tenant Azure AD application and consented the below API permissions:
To generate the access token, I used below parameters:
Grant Type : Authorization Code
Callback URL : redirect_uri
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://TENANT.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID : CLIENTID
Client Secret : ClientSecret
Access token successfully generated like below:
To get Documents list Id click on Use Token and execute the query like below:
GET https://XXXX.sharepoint.com/_api/web/lists/getbytitle('Documents')?$select=Title,Id
All of a sudden my bot started to get this error:
[onTurnError] unhandled error: Error: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace ID: 91097c7f-35a4-4f95-97bc-d616a6b45100\r\nCorrelation ID: e0110013-d13c-4897-aafc-f2e36a194ed5\r\nTimestamp: 2021-03-01 20:00:25Z","error_codes":[7000222],"timestamp":"2021-03-01 20:00:25Z","trace_id":"91097c7f-35a4-4f95-97bc-d616a6b45100","correlation_id":"e0110013-d13c-4897-aafc-f2e36a194ed5","error_uri":"https://login.microsoftonline.com/error?code=7000222"}
It sounds like your Direct Line secret has expired, assuming you are trying to hit https://directline.botframework.com/v3/directline/tokens/generate. You can regenerate them by going to the Bot Service blade, selecting your Bot Service, and then clicking on Channels. Click Edit on your Direct Line channel and you'll have the option to regenerate your key(s).
I am trying to authenticate a Xamarin.Forms app against my Azure Mobile App backend (which has been set up to use Azure AD authentication) using Microsoft Authentication Library (MSAL). This is so that the app can access tables API Controllers etc, but I am having issues authenticating fully.
In the app (client side) it kind of seems like I am able to successfully login because I got the Azure AD login screen in Safari web browser but straight after entering my credentials I get redirected to the app and I am presented with the following error from MSAL:
You do not have permission to view this directory or page.
I did some digging and attached a debugger to my Mobile App backend and that revealed the following:
Microsoft.Azure.AppService.Middleware Verbose: 0 : Received request:
POST https://myapp.azurewebsites.net/.auth/login/aad
Exception thrown:
'System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException'
in Microsoft.Azure.AppService.Middleware.Modules.dll
Microsoft.Azure.AppService.Middleware Warning: 0 : JWT validation
failed: IDX10500: Signature validation failed. Unable to resolve
SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ',
RawData: eyJ0eXAiOiJ......
token:
'{"typ":"JWT","alg":"RS256","kid":"-sxMJMLCIDWMTPvZyJ6tx-CDxw0"}.{"aud":"d03a8a86-2d38-4017-a8e6-d1813c7a8b99","iss":"https://login.microsoftonline.com/03afca2b-f47f-4d0b-9a25-d464aff5d399/v2.0","iat":1550228705,"nbf":1550228705,"exp":1550232605,"aio":"ATQAy/8KAAAAJ5N6SdnFdK7rYxWxvwbUKLAjZesFNkwaj2jR7tQg+E10FU5giL0DQM7SWbfwwYNG","name":"GFSSD
TEST","oid":"ea10e59f-4466-451c-b7df-e9727ae5b899","preferred_username":"gfssd#mycompany.com","sub":"aPg-fkuZz4lwGIPSGbQ-nOoj7BPwT4_bBsb9UvATAdI","tid":"03afca2b-f47f-4d0b-9a25-d464aff5d399","uti":"tpY2tvyphUib1O2N4wIQAA","ver":"2.0"}
Microsoft.Azure.AppService.Middleware Information: 0 : Sending response: 401.83 Unauthorized
Any ideas why it doesn't seem to authorize properly?
EDIT:
I created a jhipster monolithic application (jhipster version v4.14.2). Also I create a Okta web application with following settings:
Login redirect URIs -> http://localhost:8080/login
Initiate login URI -> http://localhost:8080
Create groups for admin and user, setup the claim in the default authorization server, and assign them to the application and my user
I updated the application.yaml of my jhipster application as follow:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
client-id: ????????
client-secret: ????????
client-authentication-scheme: form
scope: openid profile email
resource:
filter-order: 3
user-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false
When I start the application and then I try to sign in. I do get the Okta login page, however after adding my credential I always get the following error:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Authentication Failed: Could not obtain access token
I followed instruction in jhipster security documention and can't make it work. Any idea why I still get the unauthorized error?
This might have nothing to do with jhipster. Make sure your you URL for accessing the access token is right.
What Grant type are you using?
https://developer.okta.com/authentication-guide/implementing-authentication/
I think the error is here:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
Is "user-authorization-uri" jhipster way of of asking for "issuer URL"?
I am implementing Oauth 2 authentication for Office 365 account in a java based server side application. After reading the documentation, I have done the following things:
I have office 365 subscription.
I have created an app in Azure
Actve directory, that is necessary to authenticate web app using
office 365 account.
I have client ID and secret. I have also
given all permission to the Azure app.
I am requesting authorization code using the Url:
https://login.microsoftonline.com/common/oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect url}&response_mode=query
As a response of this, I am getting authorization code as expected:
http://localhost:8080?code={authorication code}&session_state=259479e4-84aa-42ea-91e9-9e919cc99587
Now I need to get token along with the user name (user ID from which the user in logged in), as I need the user name for further processing. For this, I am using the method described here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
That is using a POST request like this:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p#ssw0rd
Now the problem is that, when ever I send this post request, I always get error with error code some times 400 or 402 etc. I also user POST man in chrome to check the response of the call. It always return error like that:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID. Send an interactive authorization request for this user and resource.\r\nTrace ID: b834315e-ccb3-4533-b7c9-4af7b34054b9\r\nCorrelation ID: 784f18da-5479-4b69-b939-0067abfcc460\r\nTimestamp: 2016-08-02 07:28:22Z",
"error_codes": [
65001
],
"timestamp": "2016-08-02 07:28:22Z",
"trace_id": "b834315e-ccb3-4533-b7c9-4af7b34054b9",
"correlation_id": "784f18da-5479-4b69-b939-0067abfcc460"
}
(Note: I have registered all the apps using administrator login)
I have tried a lot to find out whats is going wrong here. I have added multiple apps in Azure Active directory but I am always getting similar response.
I request professionals to help me. . . ! Actually I want to allow user to click on a button in office 365 web add-in and use oauth2 authentication to login to our system. It will be great in somebody suggest me some good tutorial to successfully implement this.
If you were requesting the access token for the Office 365, the resource parameter in the send request should be https%3A%2F%2Foutlook.office.com.
And also you can use the Microsoft Graph as Philip suggested. You can refer here about how to choose the endpoint.
Receiving the error codes "interaction_required" or "invalid_grant" error codes means there is an issue with the "Refresh token" and it advised to:
Discard current refresh token
Request new authorization code