I got this error trying to get an auth token from Sharepoint REST api. My SP is cloud based and I am using Postman to test the requests, as a previous attempt similarly ran into a dead end when much troubleshooting back and forth with Msoft lead no where .. Anyway, I have the following error and I was wondering if anyone could help me figure out what it is or how I can troubleshoot this issue.
error_description: "AADSTS50169: The realm 'realm' is not a configured realm of the current service namespace"
error_codes : 50169
I followed this tutorial
Thanks!
Edit: I went through and started again, this tut seems to be working I guess I may have missed a step (my guess is I didn't correctly configure the app permissions with xml when creating the app)
To do authorization of SharePoint online and use REST API via Postman, here is a solution for your reference:
First: get security Token
Access [https://login.microsoftonline.com/extSTS.srf] via Http Post method. The content of the http request is as follows.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>[username]</o:Username>
<o:Password>[password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>[endpoint]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
The demonstration screenshot in Postman:
And the response content will include a security token as below, we can use this security token to get Access Token of SharePoint.
Second: get Access Token
Here i show you how to get access token of SharePoint online using the security token and SharePoint Rest API.
Access [https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0] via http Post method. The content of the request is the security token that we have got above as below.
And the response as below:
We can see that there are two cookie, rtFa and FedAuth in response header, and these two cookie need to be added to the request in subsequent request.
Third: get Request Digest
Access [https://yourdomain.sharepoint.com/_api/contextinfo] via http Post method with that two cookies which we have got above.
And the response as below:
This is the final Token we want!
Then we can use REST API of SharePoint, we only need to add this token and the previous two cookie, as shown in the following figure.
Related
I authenticate using OAuth 2.0 authorization code workflow successfully and get redirected back to Postman. Here is more information on the Azure DevOps REST API I am trying to do.
In the console, I get an error: request URL is empty
I do not see the authorization code in the response for me to parse, but if I expand the error message and look in the Request Body > code, my authorization code is there!
I am able to use the authorization code to successfully obtain an Access Token as well.
Steps to reproduce error:
I set all of the values in the OAuth 2.0 form
I click Get New Access Token
I get redirected to my browser to accept
I get a successful authentication & get redirected back to Postman
I get the Authorization code in the request body of a console error (I also get the auth code in the URL after authenticating)
On step #5, I expect to get redirected back to Postman successfully with the authorization code in the body of the message.
EDIT: The solution below works for the Azure API with a scope of https://graph.microsoft.com. If the scope is https://app.vssps.visualstudio.com (which is what I'm using), the solution will not work oddly enough.
Please try my steps to get access token with OAuth 2.0 in Postman.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Callback URL: the Redirect URI in Application > Authentication. It is required. Don't select Authorize using browser.
Auth URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
For more information, you could refer to the blog which uses oauth2 v1.0.
I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.
Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):
Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):
Next however, the requests using that token to the API fail:
{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
In the response header:
3000003;reason="Invalid audience Uri
'00000003-0000-0ff1-ce00-000000000000/{{tenant
removed}}%2fsites%2f{{removed}}#{{realm
removed}}'.";category="invalid_client"
Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?
I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.
When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.
So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:
00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com#{{realm}} (without /sites/testsite)
However, when you make HTTP requests to the API with the token, you should use the full site name. Example:
https://test.sharepoint.com/sites/testsite/_api/web/
I am getting redirect 302 error for my HTTP request in my logic app.
The scenario is that I have a logic app where I want to fetch data from an API endpoint. The API endpoint is protected and I need to provide an access token to be able to access the api.
To be able to connect to the API with an access token I have created an service principal in Azure AD (spn) to use in the logic app.
The logic app contains right now of two HTTP actions:
The first HTTP action makes a request against https://login.microsoftonline.com/<tenantId>/oauth2/token
with client_id, client_secret and tenant_id of the service principal to get an access token which I can use to authenticate against the API.
The second HTTP action makes a request against the API endpoint
with Header
Authroization = Bearer
but I only get 302 Redirect as response.
I have verified that everything is working as expected with Postman with the same requests as explained above.
Any ideas on how to get around this issue?
Redirect screenshot
Logic App workflow
I've found the cause of this issue. It was in fact something wrong with the token, the logic app successfully acquired the Bearer token, however, However, in the POST request against : https://login.microsoftonline.com/tenantId/oauth2/token
I had specified the following:
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=https://something.com <- (HERE I forgot an "/")
I found this when I tried using the token aquired in the logic app in postman and it returned a redirect and invalid token.
Thanks for the help all.
I am currently following this guide on setting up authorization for an azure function. I'm currently trying to test the auth portion in fiddler separately from my web app to ensure I can get a valid token. I am able to successfully retrieve an authorization code however after that, I need to post some data to exchange the authorization code for a token. When trying to do that, I am being returned a 502 with message: DNS Lookup for "mytenantname.onmicrosoft.com" failed. System.Net.Sockets.SocketException No such host is known as if the host does not exist at all. My post to the endpoint looks as follows where B2C_1_FunctionsPlaygroundSignInRegister is the name of my user flow:
POST https://mytenantname.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_FunctionsPlaygroundSignInRegister HTTP/1.1
User-Agent: Fiddler
Content-Type: application/x-www-form-urlencoded
Host: mytenantname.onmicrosoft.com
Body:grant_type=authorization_code&client_id=MyApplicationIdForTheAzure-AD-B2C-ap-here&code=myCodeHere&redirect_uri=jwt.ms
For reference, here is the working get request I send that I can type in a browser, be prompted with a login/register screen, and be returned an authorization code after logging in:
https://mytenantname.b2clogin.com/tfp/mytenantname.onmicrosoft.com/B2C_1_FunctionsPlaygroundSignInRegister/oauth2/v2.0/authorize?client_id=yApplicationIdForTheAzure-AD-B2C-ap-here&nonce=2&redirect_uri=https://functionapi.azurewebsites.net/.auth/login/aad/callback&scope=https://mytenantname.onmicrosoft.com/api/read&response_type=code
Can someone please point out where I'm going wrong here? I've now spent a great deal of time on this issue and am out of ideas.
Your POST url and Host header are wrong.
See this section -
OAuth 2.0 authorization code flow in Azure Active Directory B2C
POST fabrikamb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in HTTP/1.1
Host: https://fabrikamb2c.b2clogin.com
Note the Host header. That means your Fiddler request should read something like this:
POST https://mytenantname.b2clogin.com/mytenantname.onmicrosoft.com/oauth2/v2.0/token?p=...
Host: mytenantname.b2clogin.com
P.S. This is way better than Fiddler for what you're trying to do -
https://oauthdebugger.com/
I'm using Ember.js and Node. I already have json web token based authentication set up and am now trying to use LinkedIn's REST API to get information for my user profiles.
I'm able to redirect my users to the LinkedIn authorization code endpoint (Step 2 in this guide: https://developer.linkedin.com/docs/oauth2), but I'm getting stuck on Step 3 (Exchange Authorization Code for Access Token). When I make the POST request with the correct parameters, I get a 401 unauthorized_client error no matter how I try and make the request.
I'm making the request directly from my Node server, and using the request module. I've tried including the params as query params, and as part of the body. I've tried adjusting the headers and the url encoding but nothing seems to change the 401 error.
This is the call I need to be making according to the guide:
POST /uas/oauth2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=987654321&redirect_uri=https%3A%2F%2Fwww.myapp.com%2Fauth%2Flinkedin&client_id=123456789&client_secret=shhdonottell
This should not happen if you are POSTing the correct parameters. You can rather try it with an alternative way. With the authorization code you received in Step 2, use request based service like POSTMAN and try getting the response again. If you get it using that it means there has been some error while you are making the request.
Make sure to properly provide the headers.
Even after the POSTMAN service if you get an unauthorized response, confirm your client_id and client_secret.
Please note that for 2-legged authentication, the grant_type should always be "client_credentials". Also, you only need to supply the client_id and client_secret as parameters, nothing more. See the sample in the LinkedIn documentation. It looks like you try to do a 3-legged authentication request.