I'm working on creating an Outlook Add-in using this architecture.
I'm trying to handle the scenario where Azure Active Directory Access Token expires. According to the official documentation, the token's life time is 1 hour.
So I was thinking about changing the token's life time as described in this question. But I cannot do so, as I don't have the right to edit Azure policies. Also, I believe there is a cleaner way to test this scenario.
How can I test/debug this scenario?
Whenever your access token expires you can use your refresh token to exchange for new access/refresh token pair. Refresh token has a maximum inactivity time of 90 days.
You can get refresh token in your result while requesting access token by specifying offline_access in the scope parameter while making the request.
curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={clientid}' \
--data-urlencode 'refresh_token={refreshtoken}' \
--data-urlencode 'redirect_uri={redirect_uri}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_secret={client_secret}'
Related
We are using Sign In with Apple. The automated token renewal has failed in the past. I want to query the Graph API for the token expiration date so it can be tracked in our monitoring system.
EDIT: After contacting Azure support, the root cause for the token failing to auto renew is that we are using a custom user flow (IEF) policy
While generating the access token, you can see an attribute called expires_in along with access token.
You can make use of below CURL script to get the Apple JWT token:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \-d 'grant_type=authorization_code' \
-d 'redirect_uri=REDIRECT_URI'
You will get response like below:
{ "access_token": "adg61...67Or9",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rca7...lABoQ"
"id_token": "eyJra...96sZg"}
In the above response you can find expiration time in expires_in attribute.
Otherwise, you can decode the token by using JSON Web Tokens - jwt.io site like below:
Copy the access token and paste it in encoded field.
Under payload section, you can find expiration date in exp attribute.
For more information, please refer below link:
Generate and Validate Tokens | Apple Developer Documentation
I have a token with computer vision included in the scope and audience. But when a send an OCR request it always returns "Unauthorized. Access token is missing, invalid, audience is incorrect or have expired". What is wrong with my code?
curl --location --request POST 'https://westeurope.api.cognitive.microsoft.com/vision/v3.0/ocr'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer myToken'
--data-raw '{"url":"imageUrl"}'
Pls just try the request below to get an access token from Azure AD for the vision OCR service:
I have created an instance of Azure API for FHIR with an Azure FHIR proxy following this tutorial:
https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration
I am able to browse to the proxy URL through a browser after being prompted to log in to view the metadata as shown below:
FHIR Meta data image
However, when trying to access it through the Postman API tool I keep getting the same error:
You do not have permission to view this directory or page.
I have tried generating an authorization Bearer token using the following:
curl --location --request GET 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--form 'grant_type="client_credentials"' \
--form 'client_id="{CLIENT_ID}"' \
--form 'client_secret="{CLIENT_SECRET}"' \
--form 'resource="{MY PROXY RESOURCE ID}"'
The authorization token looks fine, but when adding it to my API call it errors as shown below:
API error image
Does anyone have any idea how I can successfully call my API with a proper authorization token that works or know a tutorial that actually explains this part of the process?
The tutorial does not give much information.
EDIT:
WWW-authenticate-header:
Bearer realm="func-fhir-proxy-2.azurewebsites.net" authorization_uri="https://login.windows.net/000000/oauth2/authorize" resource_id="0000"
Thanks
I was trying to Configure Microsoft Azure AD for External OAuth as per the Snowflake tutorial: https://docs.snowflake.com/en/user-guide/oauth-azure.html
The configuration steps went ahead without a hitch and I was able to use the final step: https://docs.snowflake.com/en/user-guide/oauth-azure.html#testing-procedure to obtain the access token from AAD.
However, when I tried to use the access token with Snowflake using a JDBC driver, I obtained the error: "net.snowflake.client.jdbc.SnowflakeSQLException: Invalid OAuth access token.
The Snowflake integration created is of the form:
create security integration ext_oauth_azure_ad
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<issuer-url>'
external_oauth_jws_keys_url = '<keys-url>/discovery/v2.0/keys'
external_oauth_audience_list = ('https://<app-id-uri>')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name'
external_oauth_any_role_mode = 'ENABLE';
I tried playing around with this config by changing the external_oauth_token_user_mapping_claim to email since that was the attribute in the decoded JWT access token that matched the login_name but to no avail.
The scope provided in AD is the session:role-any which should be valid for any scope.
Not sure how to proceed post this.
Edit:
The command used to obtain access token is:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<ad-client-id>" --data-urlencode "client_secret=<ad-client-secret>" --data-urlencode "username=<ad-user-email>" --data-urlencode "password=<my-password>" --data-urlencode "grant_type=password" --data-urlencode "scope=<scope-as-in-ad>" 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
Update:
Tried using the command:
select system$verify_external_oauth_token('<access_token>');
to validate if the token was valid in Snowflake and obtained the result:
Token Validation finished.{"Validation Result":"Failed","Failure Reason":"EXTERNAL_OAUTH_INVALID_SIGNATURE"}
This is strange because I have added the correct issuer based on the configuration step(entityId from the Federation metadata document
)
I have a problem to generate the token, use the command you passed in tutorial
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer access-token" \
-d '{"foo": "bar"}' \
"https://.cloudfunctions.net/get"
When enter in my link /get return " No authorization token found." IT necessary i inform token?
https://github.com/tnguyen14/functions-datastore/
Is your access token, access-token?
A proper jwt format is something like this.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o
Your http request using curl looks ok. But I doubt that access-token is a valid token. Normally there's some form of /login route you need to obtain the token, which later on should be provided using the Authorization: Bearer $TOKEN.
You can get help from https://jwt.io/ where you can specify your payload and pass the secret under VERIFY SIGNATURE to get a valid jwt token. Then you can use this in your curl requests.