Azure B2C Custom Policies: Invalid Request, client secret error - azure

I have an Azure B2C Custom Policy to sign up. And when I try to get a refresh token I receive this error:
{"error":"invalid_request","error_description":"AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.\r\nCorrelation ID: 776e4226-467b-4648-b7f7-a9c09715fd68\r\nTimestamp: 2017-10-31 21:12:56Z\r\n"}
I'm logging in using this url:
https://login.microsoftonline.com/<MyTenant>.onmicrosoft.com/oauth2/authorize?
p=B2C_1A_signup_signin
&client_id=<MyB2CAppID>
&nonce=defaultNonce
&redirect_uri=http%3A%2F%2Flocalhost%3A4200
&scope=openid+offline_access
&response_type=code
&prompt=login
With the code obtained from the previous url I try to get the access token with this url:
https://login.<MyTenant>.com/exob2ctest.onmicrosoft.com/oauth2/v2.0/token?
p=B2C_1A_signup_signin
&grant_type=authorization_code
&client_id=<MyB2CAppID>
&redirect_uri=urn:ietf:wg:oauth:2.0:oo
&code=<MyCode>
&scope=openid%20offline_access
&client_secret=<MyB2CAppSecret>
After that I'm receiving the error.
I'm using on the client_secret parameter the key generated on the B2C application referenced in client_id.
When I tried this with buildt-in policies I get the refresh token without problems. Could it be something missing on my custom policies?
Thanks in advance!

You need to send your request to the /token endpoint as a POST request with the policy parameter as a query string parameter and the rest in the the x-www-form-urlencoded body.

Related

Office365: Refreshing access token results with "AADSTS9002313" invalid_grant execption

From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.
This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}
Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)
Below data is sent to fetch new access token
client_id (related to azure app)
client_secret (related to azure app)
grant_type = 'refresh_token'
refresh_token
Edit 1: Update token endpoint to v2.0
Request URI
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body
client_id=<client-id> &scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... &grant_type=refresh_token &client_secret=<client-secret>
Reponse Body
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
Your authority is old and you missed the scope in the request body(if use the v2.0 endpoint), if you want to get a new access token for O365 with the refresh token, use the sample request below.
Request url:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request body:
client_id=<client-id>
&scope=https://outlook.office365.com/.default
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=<client-secret>
For more details, refer to the doc - Refresh the access token.
Update:
I test it for you, it works on my side. Make sure you also get the refresh token with the v2.0 endpoint, see here.
The permissions for my app:
Test to get a new access token in the postman after getting the refresh token.

How to configure Code value from Azure platform 'AADSTS900144'

Whenever i connect Azure platform from my platform & access for Authorization getting an error like the following
Authorization failed with the error message, 'AADSTS900144: The
request body must contain the following parameter: 'code'. Trace ID:
0c2a6ce5-a127-491f-8ef5-34b4b0f11a00 Correlation ID:
5ae207ac-ff51-43da-92a6-0225372c55b1 Timestamp: 2020-10-06 11:19:33Z'
Similarly faced scope value exception.Refered the link AADSTS900144: The request body must contain the following parameter: 'scope' when using legacy Developer Portal
Now, How to fetch the code value Azure platform?
Code will be provided in the response of the authorization request. Once obtained you will include it in the token request as detailed in Request an access token.
According to your error message, you are missing request parameters when requesting an access token. You need to put the following parameters in the request body:
For code, it needs to be acquired by interactive login users, you need to execute the following request in the browser to acquire it:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345

AADB2C90083: The request is missing required parameter: grant_type

I am trying to configure the ROPC flow in Azure Active Directory B2C using a custom policy mentioned in the below URL.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom
But I am getting the below error while testing the ROPC policy.
{
"error": "invalid_request",
"error_description": "AADB2C90083: The request is missing required
parameter: grant_type.\r\nCorrelation ID: b4153dfe-4296-4b68-850f-ee30ac4d86b0\r\nTimestamp: 2019-08-02 11:53:23Z\r\n"
}
https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1A_<POLICY_NAME>&username=xxxxx&password=xxxxx&grant_type=password&scope=openid <NativeClient_App_ID> offline_access&client_id=<NativeClient_App_ID>&response_type=token id_token
In the above url add your tenant name, ROPC Signin Policy Name, username & Password and your native client ID.
Now try to send the request and check.
I got the same error then I realised it should be GET request and I was sending POST. Make sure you are sending correct request type.

Power BI always returnig 403 Forbidden

I'm trying do develop an application that makes use of the Power BI API.
The problem is, even though I have a valid authentication token, every API endpoint I tried to access so far returns a 403 (Forbidden) Http status with no content on the response body.
I think the token I'm getting is valid because when I try to use the same token the next day it gives me a "Token expired message".
I'm using a corporative Azure Active Directory account where I'm not an administrator. But I have full access to the Power BI workspaces and Reports on it's web interface.
I'm currently authenticating with Azure AD Oatuh2 v1 but I also tryed v2 with no success (I'm still using v1 because on v2 I'm not sure my scope and resource parameters are right).
Here are the requests I'm sending:
GET
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=<my client id>
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&response_mode=query
get the authorization code on the redirect at localhost:8080/azureLogin/authorize then
POST https://login.microsoftonline.com/{tenant}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<my client id>
&code=<the code I just got>
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&client_secret=<my client secret>
As "tenant" I tried both "common" and my organization id.
But when I try to access https://api.powerbi.com/v1.0/myorg/reports with the Authorization: Bearer <token> header. I get a 403 Forbiden response.
On Azure AD I can see my user has given all permissions to this application I registered.
Am I missing something? How can I solve that?
To make the answer visible to others, I'm summarizing the answer shared in comment:
You missed the resource parameter, you are access powerbi, so it should be
resource: https://analysis.windows.net/powerbi/api
The resource is app ID URI of the target web API (secured resource). It may also be an external resource like https://graph.microsoft.com, https://analysis.windows.net/powerbi/api etc. This is required in one of either the authorization or token requests.

How to obtain access token from azure

I am stuck with the authentication to use the REST API for getting subscription billing information from Resource Usage API
I would like to get help with how to obtain token for non interactive clients. I chose to use the REST API since azure client seems to not support Resource Usage API.
As the Authorization code grant (interactive clients) describes , I have called the request with my subscription id but token is not returned properly.
[root#visual src]# curl -XPOST https://login.microsoftonline.com/xxxxx/oauth2/token -d ""
{"error":"invalid_request","error_description":"AADSTS90014: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: 32981285-a021-45c3-8d2f-62db49d2c2f1\r\nCorrelation ID: d88849dd-20f9-462e-9ce9-66b6fde0170e\r\nTimestamp: 2017-03-04 04:06:44Z","error_codes":[90014],"timestamp":"2017-03-04 04:06:44Z","trace_id":"32981285-a021-45c3-8d2f-62db49d2c2f1","correlation_id":"d88849dd-20f9-462e-9ce9-66b6fde0170e"}[root#visual src]#
How can I obtain the token?
A token will not be returned if you don't supply some credentials :)
If you want to do a non-interactive request with client credentials for example, your request must contain (in URL-encoded form format):
grant_type=client_credentials
client_id=your-app-client-id
client_secret=your-app-client-secret
resource=resource-uri-for-api-you-want-the-token-for
The resource URI could be for example https://graph.windows.net/ for the Azure AD Graph API.
You can also get tokens with the password grant if you wish to use a username and password. In that case, you must send:
client_id, client_secret and resource as above
grant_type=password
username=your-username
password=your-password

Resources