Azure AD returns unusable access_token - azure

I'm trying to get the access token from the Azure AD, which I'm using as an OAuth identity provider.
I successfully received an authorization code from https://login.microsoftonline.com/common/oauth2/authorize endpoint, and trying to get an access_token. The request has following parameters:
https://login.microsoftonline.com/common/oauth2/token, Method=POST
grant_type=authorization_code
&client_id=<GUID>
&code=<CODE RECEIVED ON THE PREVIOUS STEP>
&redirect_uri=<...>
&client_secret=<SECRET>
I'm receiving the following response:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1506527801",
"access_token": "AQABAA...Sc0YMuMr73WQyjzuyAA",
"refresh_token": "AQABAAAAAAABlDrqfEFlSaui6...xin-iAA",
"id_token": "eyJ0eXAiOiJKV1...HjgO0A"
}
When I'm trying to use the access_token, result always 401 error (Unauthorized). id_token looks like a normal JWT token and can be decoded. But access_token and refresh_token are not, looks like they are Base64 encoded values of JWT tokens.
What can cause the 401 error? All requests performed from the same domain. The application is registered with Azure using app.dev.microsoft.portal

The issue was caused by lack of the "resource" property, which I had to set to the App ID of an application I wanted to get access:
https://login.microsoftonline.com/common/oauth2/token, Method=POST
grant_type=authorization_code
&client_id=<GUID>
&code=<CODE RECEIVED ON THE PREVIOUS STEP>
&redirect_uri=<...>
&resource=a1fc97d5-...-fa8763202a29
&client_secret=<SECRET>
After setting the proper permissions in the client app, I got the proper JWT token.

Related

Not getting refresh token and id_token with Azure AD OAuth2.0 ROPC flow using username and password

I am using ROPC Flow with user details and client details to get Access token and refresh token. But I am only getting Access Token and this expires in 1 hour.
My frontend app has sign-in window where we provide AD user creds, this makes a post request and got FE with successful auth.
I have 2 questions:
Getting CORS issue while making user sign-in request using http://localhost:3000 with access-control-allow-origin header error.
I would like to get refresh token for Continues App login OR do I set the lifetime of the access token to a day.
REQUEST:
// Line breaks and spaces are for legibility only. This is a public client, so no secret is required.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.com
&password=SuperS3cret
&grant_type=password
RESPONSE:
{
"token_type": "Bearer",
"scope": "api://94849942785375897059789375379/FIles.Read",
"expires_in": 3598,
"ext_expires_in": 3598,
"access_token": 8YU4bMhafsfhaeoahehviyy8786w89ufo2ofj29h8gMWnB633NLWn7JQ"
}
You need to add offline_access and openid to the scope parameter when requesting the token, try to add them, you will get the id token and refresh token.
Update:
Your application will need a back-end that will fetch the data and return it to the front-end. So try to call the token endpoint from the back-end .

Microsoft Graph API Token Generation From Nodejs Code

I want to access Microsoft Graph API and for that i am trying to generate Token from Nodejs Code. I am getting Token from nodejs but when i decode this token in jwt.io. i do not see scope parameter. Also when I use this token in accessing Microsoft Graph API it gives error
Authorization_RequestDenied
Code Generation screenshot
The doc https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Clearly say that if
grant_type: "client_credentials" the response would be as follows, it won't have scope variable
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
This is what you are getting, so its working perfectly.
You are looking for scope variable, so you have to follow as
grant_type=authorization_code , the response is
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fuser.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
Here you will get the scope variable, reference is https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
So the the way you are calling is important whether client Credential or authorisation_code
EDIT
You have to call the authorise API as follows:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
&state=12345
Modify your request with the url and params and you will get the response as follows:
GET https://login.microsoftonline.com/common/oauth2/nativeclient?
code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
&state=12345
Here is the code you are looking for. SO after this you have to make the above call for token.

Azure access token generation from Postman

I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message "Authorization denied for this request" while using the generated token in another API request.
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id:As per id generation by azure.
Body# (Form-data)
grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo
Since the above returned token is not accepted, I had passed username and password as well in body of the request but ended up with same results. Also azure did not consider my credentials even they are wrong.
Could you please assist what else I need to send in the response to get valid token id?
The Valid format for client_credentials authentication flow is like below:
Azure Portal Credentials For App Id and Tenant Id:
Application Secret from Portal:
Token Endpoint Or URL:
https://login.microsoftonline.com/YourTenantName.onmicrosoft.com/oauth2/token
Request Param:
grant_type:client_credentials
client_id:b603c7be_Your_App_ID_e6921e61f925
client_secret:Vxf1Sl_Your_App_Secret_2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
PostMan Sample:
Token On Response:
Expose Your Own API:
When You want to authorize your own API you have add it here. So that your token will contain this permission and this API can be accessed. Refer this docs
For more clarity you could refer official docs
You should try adding "X-ZUMO-AUTH" header to your request when using the generated token.
GET https://<appname>.azurewebsites.net/api/products/1
X-ZUMO-AUTH: <authenticationToken_value>
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

Azure AD OAuth2.0: I dont get a refresh token

when a client application (such as a webpage using our api) is connecting to a Azure AD OAuth2.0-protected web api
To get the access token, the client applications make a POST to this
https://login.microsoftonline.com/{tenant}/oauth2/token
But the client applcation does not get a refresh token.Is that not needed in the "client application" scenario?
This is what they get
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1531906803",
"not_before": "1531902903",
"resource": "https://our-api.azurewebsites.net",
"access_token": "YtNGEzZi1hZGYyLTExNjU4N......rdFqQ"
The token works fine and it SEEMS that it never expires.
If you got the token with client credentials (client id + client secret or certificate), then you don't get a refresh token.
In this scenario, you can always get a new access token with the application's credentials alone, so you do not need refresh tokens.
In the case of flows which have user context, you get a refresh token since you cannot repeat the user login at will, and must use the refresh token to get a fresh token.
You need add a special scope offline_access when you request authorization_code to receive refresh_token as the result. Check it out, may be it is you case :)

How to get Azure easy auth JWT access_token

I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.
All /.auth routes exist on the service, and I can log in. After successful login I can call /.auth/me to get the access_token. The response looks like:
[
{
"access_token": "AQABAAAAAA...Gni4EiQgAA",
"expires_on": "2017-02-28T19:17:08.0000000Z",
"id_token": JWT TOKEN
...
}
]
I then use the access_token in an authorization bearer header to request data from the service.
"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"
My service returns the following error
IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.
The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.
According to this discussion the access_token is intended to be used as a Bearer token. I have also read here that the access_token is supposed to be base64 encoded but this does not appear to be the case.
Additionally, if I use the id_token as a Bearer token, then authentication works as expected (the id_token is in JWT format).
Edit
When I manually implement the Oauth flow as described here, I receive a proper JWT access_token.
GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri
Followed by
POST
https://login.microsoftonline.com/common/oauth2/token
grant_type=authorization_code
client_id=client_id
code=CODE FROM ABOVE
redirect_uri=redirect_uri
resource=resource
client_secret=client_secret
RESPONSE
{
"access_token": JWT TOKEN,
"token_type": "Bearer",
...
}
How to get Azure easy auth JWT access_token
According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type is id_token. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:
Note: If you do not specify the resource for additionalLoginParams, you would retrieve a access_token that is not in JSON Web Token (JWT) format.
I then use the access_token in an authorization bearer header to request data from the service.
For accessing your service, you could leverage AppServiceAuthSession cookie or you could use Authorization:Bearer "{your-id-token}".
For more details, you could refer to this similar tutorial.

Resources