Problem: I'm trying to use Postman to get an valid Azure AD access token that I can then use to pass on a request to an Azure Function protected by Azure Active Directory (Easy Auth).
I've read / viewed numerous explanations on how to do this. CGillum's entire blog for example. Some of the best ones (that don't quite work for me) are:
https://blogs.msdn.microsoft.com/devkeydet/2016/03/22/using-postman-with-azure-ad/
https://youtu.be/ujzrq8Fg9Gc
Even a similar question that I posted: Authentication for Azure Functions
I've verified that my ClientID, secret, and callback are all correct. I've ensured I have (what I think are) the correct permissions to the app I registered in my directory. I've got back a valid Bearer tokens in both of the first two examples above. No matter what though, when I pass this token back in the Authorization header I get a message that states "You do not have permission to view this directory or page."
My hope at this point is that someone reading this will point out the obvious thing that I missed.
Thanks in advance
We could use the following way to get the easy auth token easily.
1.Vist the following url from browser and input your creditial.
https://{yourfunctionAppName}.azurewebsites.net/.auth/login/aad
2.After that we could get the easy auth token after decode the url.
3.Test it with Postman
Related
I'm trying to execute a REST API call in SharePoint Online. For this, I wanted to see if I can register an app in Azure AD. I believe I was able to do so and I'm able to get back a token. However, upon executing the GET request Postman always throws {"error_description":"Invalid issuer or signature."}in the body of the response.
Here're the screenshots detailing everything:
Don't mind the Postman variable {{TenantID}}. That's not the issue, I also tried with the writte-out tenant ID - doesn't make a difference.
So what I was unsure about at first was the 'Scope' parameter in the "GET NEW ACCESS TOKEN" in Postman. I tried various scopes, for example
'Sites.FullControl.All' or 'https://microsoft.sharepoint-df.com/.default'. But that didn't change the outcome. Still, is the scope I set correct for SharePoint REST API? I know that for the Microsoft Graph 'https://graph.microsoft.com/.default' works.
I also tried different app permissions, not just
'Sites.FullControl.All'
Do you have any idea what the cause of the error might be?
Thanks.
The sharepoint permission Sites.FullControl.All is of type Application.
For this type of permission you MUST use the client_credential flow.
The Client Credentials grant is used when applications request an
access token to access their own resources, not on behalf of a user.
Try to call the auth url with:
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
Otherwise if you want to access the Sharepoint on behalf of the user change the permission type to delegated
I'm making a small React app and want to use Azure to log in. Everyone has an Office 365 account tied to their tenant. I've registered an app in Azure, allowed implicit flow etc., and I can log in via the React front-end. I get the token and can access basic user details via the user.read scope. All good.
I'm using the Msal library to do all of this, and I read somewhere that if I was getting a JWT from Microsoft Graph it would have a nonce in the header and wouldn't be usable for this type of purpose (because Graph could handle validating with each request). I double checked everything and it's calling Msal.UserAgentApplication with my clientId and the login url for our Tenant.
Now, the backend is on AWS, so what I'd like to do is have each request from the user call the API on AWS and include the token in the header.
I've tried validating the token using azure-ad-jwt and even replacing the code with someones suggestions in this post, but I can't get anything but an Invalid Signature.
From what I can see the code in the those links basically decoded the JWT, tracks down the public keys from Microsoft, find the matching one based on the kid, does some tidying up of the cert, and tries to verify it. But it constantly returns:
{
"name":"JsonWebTokenError",
"message":"invalid signature"
}
The backend is written in Nodejs, I can't think of any more reasons why it won't work. Anyone get this working or have any ideas?
For what it's worth, I've also pasted the token into jwt.io and it decodes find, but also says Invalid Signature, though up to this point I've assumed that is because I haven't put in the public key or cert.
I would like to upload a given file to Sharepoint. I'm using the Microsoft Graph API.
The documentation follows this workflow:
1. If no token, redirect the user to the Microsoft signin page.
2. The user is then redirected to the application, with an access token
3. Use access token to have an authorization bearer
4. Do what you gotta do...
My problem is the sign-in part. I don't want my users to be redirected to the Microsoft signin page. I want my application to connect and get the access token in the background (with cURL or whatever).
How can I do that? Why is the "open in browser" necessary?
I tried to replicate the sign-in process, but all I get back is the HTML response from the signin page.
Thanks in advance.
Your application act as a single-tenant service or daemon app.
The documentation about this scenario is here : https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
The application must be registered in the AzureAD directory corresponding to the Office365 tenant
A first request is made by passing the application unique identifier and secret key as registered in the directory. This request returns an access token
The access token can now be used in the Authorization header of the following request to the Microsoft Graph API.
This method (of using Client ID and Secret) works well but there are other ways which may be better suited for similar scenarios.
The one major thing which is missing in access token generated this way is a user, meaning the token only contains the identity of the OAuth application (client) which called it but is not associated with any user for the request.
This could have a couple of implications:
Since the token is not associated with a specific user you will not know who performed the operation. In your example, you would not know who uploaded the file (and other similar information may be missing).
Access token without users will not work at all for some methods. For those, you need a delegated token.
Creating a delegated token requires some effort, if you are interested you can find the details in my article:
Getting Access Token for Microsoft Graph Using OAuth REST API
I am relatively new to Azure Active Directory and the Graph API. My goal is to be able to write a python program which invokes the Graph APIs to create users in the Azure Active Directory. Let us assume that I have the credentials of the Global Admin for my Azure Active Directory.
I am following the documentation provided at this link. I am successfully able to create a user by using the Graph Explorer as I am using the Global Admin's credentials to login. However, I am unable to do the same via my python program (or even Postman REST client). I get an error message stating "Insufficient privileges to complete the operation." I am using the following python library to obtain an access token using the client credentials: ADAL python library
It looks like I am not following the correct procedure while obtaining the access token to make my call. I even tried obtaining the access token directly using a REST client. It would be great if someone could review the steps below to highlight any mistakes:
Step 1: Hit the following endpoint
[HTTPS]/login.microsoftonline.com/[my-organization]/oauth2/authorize?client_id=[client-id]&response_type=code&response_mode=query&resource=00000002-0000-0000-c000-000000000000
Step 2: Note down the 'code' query parameter from the above request. Then make the following request.
POST [HTTPS]/login.windows.net/[my-orgranization]/oauth2/token?api-version=1.0
HEADERS:
Content-type application/x-www-form-urlencoded
BODY:
code=[code received from Step 1]
client_id=[client id of my app in Azure]
client_secret=[client secret of my app in Azure]
grant_type=authorization_code
scope=openid
Please note that the values above were URL encoded appropriately.
I have even tried sending the global admin's credentials (username/password) in Step 2 as a last ditch effort but to no avail.
Any pointers in this regard would be greatly appreciated.
Thanks in advance.
The error you are receiving is a result of the configuration of your application. Specifically, you need to configure your app to have the proper permissions to create users when calling the AAD Graph API.
Take a look here at the permission scopes available through the AAD Graph API.
To create users you will need either Directory.ReadWrite.All or Directory.AccessAsUser.All. You can check that you have done this all correctly by looking at your access token, and confirming that these claims appear in your access token.
If you do not have these claims, go back to your app registration and make sure to add the appropriate permissions to the AAD Graph API.
Note that when you update your application's permissions, you will need to force a consent prompt again to consent to the new permissions you are requesting, otherwise the authentication will continue to succeed with the OLD permissions you have requested. In order to force consent, simply add &prompt=consent to the end of the authorize URL.
Let me know if this helps!
I’m running into some problems getting our code to authenticate to Azure AD. I’ve configured an application and set up our code to request an authorization “code”. That much works, but when I try to exchange the “code” for an “access_token” I get caught in a variety of errors. First I get a “missing resource identified” error. I dug into the Manifest and pulled out a resource-id to pass but then I get a “missing client_secret” error.
But I’m not sure I’m going down the right path here. For one, I’m not sure what resources, if any, I need to access. Since we are just trying to authenticate I don’t think I need to actually request access to any other APIs do I? Maybe I do but I’m not sure which or what I would do with them.
Also, I found this blog post which seemed encouraging:
http://www.andrewconnell.com/blog/azure-ad-oauth2-openid-connect
He makes it look like I should be able request both the “code” and the OpenID Connect id_token in the initial authorization request. Which on glance seems to be all I would need to do. But when I try to append the “+id_token” to the “code” resource_type param as he suggests I get a “missing nonce” error. If I include a “nonce” parameter with a random string it goes through without errors and it hits my redirect_uri but I don’t get any data back in the response, and certainly not the profile information he indicates I should see in the blog post.
if you want to authenticate you definitely want to use OpenId Connect - OAuth2 is for authorizing your app to act as a client against a different resource, rather than getting a token for sign in purposes. I recommend taking a look at http://aka.ms/aaddev for overviews and quickstarts. In particular, see this for an explanation of the topology and this for a quickstart on how to do openid connect authentication.
Does adding 'response_mode=form_post' allow your app to receive both code and id_token?
Example sign-in request (GET)
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code+id_token&response_mode=form_post&scope=openid&client_id=insert-client-id&nonce=insert-nonce&redirect_uri=insert-redirect-uri