I have an Azure Function that I have secured using Azure Active Directory (using express settings)
I generated an secret key and was able to get the other bits required (client id, tenant etc).I followed this guide to test the Client Credentials
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds .
I was able to get an access token but when I try to access the function using the Bearer Token I get error code 403 with 'You do not have permission to view this directory or page.'
How can I fix this? I want to secure my Azure function using a secret key.
Edit ----------
I want to access my Azure function http endpoint.
The requests I have used:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token/
With body:
client_id:{Application Id in Azure AD}
scope:https://{functionname}.azurewebsites.net/.default // This might be the source of the problem
client_secret:{Key Generated}
grant_type:client_credentials
This returns an access token eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Then
Get http endpoint of my AzureFunction
https://{functionName}.azurewebsites.net/api/endpoint?Params
The Header contains Authorization Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Related
I'm trying to query application insights via their REST API. I'm stuck on getting a token.
I have created an API key using the API Access blade in Azure Application Insights:
That gives you an Application ID and an API Key.
I have populated postman with the following:
url: https://login.microsoftonline.com/<Our Tenant ID>/oauth2/token
tenant: <Our Tenant ID>
client_id: <The Application ID from the API Access screen>
scope: https://api.applicationinsights.io/.default
client_secret: <The API Key from the API Access screen>
grant_type: client_credentials
All of this is taken from their documentation page here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
The error is as follows:
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier '<application ID from API Access screen>' was not found in the directory '<My Company Name>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 57f78a92-fe94-40e3-a183-e3002be32801\r\nCorrelation ID: 0ab8e3ec-655d-44aa-93fa-4d3941862d11\r\nTimestamp: 2022-11-30 15:04:20Z",
I checked with the Azure Admin for our company and I'm definitely sending this to the right tenant. Also he created another key for me so it's not that either.
Thanks.
I tried to reproduce the same in my environment and got below results:
I created an API key from API Access blade in Azure Application Insights like below:
When I tried to acquire the token via Postman with below parameters, I got same error as below:
POST https://login.microsoftonline.com/<TenantID>/oauth2/token
client_id: <Application ID from API Access screen>
grant_type:client_credentials
client_secret: <API Key from API Access screen>
scope: https://api.applicationinsights.io/.default
Response:
There is no need to generate token separately if you want to query Application insights using API key.
Without including token, you can directly query Application insights by including x-api-key header like below:
GET https://api.applicationinsights.io/v1/apps/{Application ID from API Access screen}/metadata
x-api-key: <API Key from API Access screen>
Response:
The process you are currently following works only if you want to authenticate your API via Azure AD. In that case, you can generate the access token by granting required roles and scopes to registered Azure AD application.
But if your requirement is using API key, you can run any query by simply including x-api-key header for Authorization purpose.
I am trying to upload document to OneDrive through my application. When i am trying to login Onedrive i am getting below error message.
(1002144-A1) Onedrive upload failed with exception:
Code: Request_ResourceNotFound
Message: Resource 'demo#domain.com' does not exist or one of its queried reference-property objects are not present.
My application is a multitenant application. Can anyone have an idea about this issue.
• You are getting this error because the required scopes and the permissions for the Azure AD app registration are not correct as well as there might be query formatting errors in your ‘Onedrive’ request from your application. For that purpose, kindly ensure the below settings are configured aptly in your application: -
a) Client ID and Key (client secret) as registered with Azure Active Directory (AAD)
b) Authorization code received from OAuth 2 authorization code flow
c) OneDrive for Business API endpoint URL
d) Access token for the OneDrive for Business resource
e) Refresh token to generate additional access tokens when the current token expires.
Thus, follow the steps as shown in the manner as above. Kindly get an authorization code as below: -
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope={scope}&response_type=code&redirect_uri={redirect_uri}
Then ensure to redeem the code for access tokens as below upon successful authentication and authorization wherein the response will be as below: -
Response: -
https://myapp.com/auth-redirect?code=df6aa589-1080-b241-b410-c4dff65dbf7c
Redeem the code for access tokens as below: -
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code
Then, further get a new access token or refresh token as below wherein the response should be as follows: -
Refresh token redemption: -
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&refresh_token={refresh_token}&grant_type=refresh_token
Response: -
{
"token_type":"bearer",
"expires_in": 3600,
"scope": "wl.basic onedrive.readwrite wl.offline_access",
"access_token":"EwCo...AA==",
"refresh_token":"eyJh...9323"
}
As you can see above, upon successful authentication via Microsoft Graph as the orchestrator, you get the refresh token, access token and the valid scopes for it too. Also, please find the below snapshot which shows the scopes required for this: -
Also, do ensure that the application as an entity exists in the Azure AD app registration for the authentication to Onedrive API to happen as below: -
For more detailed information, kindly refer the below links: -
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online
https://github.com/microsoftgraph/microsoft-graph-docs/issues/3539
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I have a simple function app with HTTP trigger:
Function app code snippet
I have authorized my function app with AAD. I am able to get the access token successfully from v2 token url https://login.microsoftonline.com/<TENENT_ID>/oauth2/v2.0/token
In scope I am passing the Application ID URI from app registration.
Access token
But when I am trying to pass the access token in header while invoking function app url, I am getting 401.
401 postman
Not sure what I am missing. Please help
I think my previous post would be helpful. Let me know if you have any more questions.
If this solution does not work for you,and scope param is necessary for you, I have checked your post, seems everything is right. I assume it is due to Auth config ,could you pls have a check?Go to Azure function => Auth => identity provider => find your app => Edit.
I'll share my config and steps to call function below:
My config:
The way I get the access token :
Not bring token:
Use this token to call Azure function :
I have some troubles trying to call an Azure Function (code) with Postman.
I have already set up the Authentication / Authorization and settings.
It's working with my browser (with login page).
But when I try to use Postman, I'm getting 401 :
"You do not have permission to view this directory or page."
I also tried to use the Postman built-in (see configuration) Oauth2 to login. I can successfully get the tokens (access and refresh). But it seems that my API request to functions are not working...
Here is the final API Call: postman screenshot
The aad tenant_id starts with 8d6, the application client_id starts with 226, and the app secret ends with Av2.
Is there anything wrong ... ? It looks like actually, Azure Functions handle only Cookies for the authentication, that's why it's working with the browser and not Postman. How can I make it works with the header Authorization / Bearer ?
Thanks for your help !
The way you got the access token is not correct. Just like #Marc said, in your Postman you are not specifying a resource or scope. The postman get new access token tool only has the scope parameter, so you should use the v2.0 endpoint to get the access token.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Scope:
{clientId}/.default