I am a little confused by Microsoft's scattered documentation.
I have created an application (https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal), which means I now have:
Application ID
Key
Directory ID
I have gone into the KeyVault in Azure Portal, and I have granted permissions to the application.
For test purposes, I am trying to run a test via CURL. The basis I am using for this is the following Microsoft pages (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token and https://learn.microsoft.com/en-us/rest/api/#create-the-request)
So, the first thing I do is get a token through the following call:
curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>" https://login.microsoftonline.com/<removed_for_security>/oauth2/token
This returns a token.
I then (try to) use that token as follows:
curl -H "Authorization: Bearer <removed_for_security>” -vv https://<removed_for_security>.vault.azure.net/secrets/<removed_for_security>/<removed_for_security>
I get no content back, just "HTTP/1.1 401 Unauthorized"
You need to specify the resource you are requesting the token for.
curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https://vault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token
and also add the api version.
Ok, so I can confirm that the request you are doing is valid, for the most part, you forgot the API-version, but problem is not with the API version (it would tell you that).
https://xxx.vault.azure.net/secrets/xxx/?api-version=2015-06-01
this url works, so I guess the token is not right. The easiest way to check would be to go to JWT.io and paste the token there and see the contents, if they match with what the Key Vault expects. Probably you have a mismatch.
Related
I have carefully followed the documentation outlined here by Microsoft to create a Bug in Dev Ops via the API. The documentation is well written.
Steps followed:
In Dev Ops I created a Personal Access Token, the string value of which I converted to Base64.
In a separate Power Automate flow, I composed a list of the projects in my target DevOps Organization for testing purposes. The JSON for the projects in this Organization is as follows:
Now if I copy and paste this URL (in the picture above) into my browser it resolves correctly.
I created a Postman HTTP POST Request with the following details:
URL: https://dev.azure.com/{my org}/{Demo guid}/_apis/wit/workitems/{{taskType}}?api-version=7.0
Under Authorization I set the Bearer Token and pasted in my encoded PAT
The JSON Body is as follows:
The POSTMAN variable in the URL taskType is set to Bug
The request Headers are as follows:
Once again please note that if I paste the URL (1) in green into a browser it resolves correctly. However, the request returns a 404 Page not found.
I cannot understand why it is not finding the page, as I would expect a not authorized error if the problem was with the token.
Looks like you have {{taskType}} as a literal in your URL string.
Just try to perform a List to find all the valid taskTypes. Also drop the Bearer token and just use Basic Auth to keep it simple. The username should be empty and password should contain your AzDO PAT.
Needed to include the $ symbol. I am now getting authentication issues but this is outside the scope of the original submission.
I took the Microsoft sample which is using client_credentials flow
https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi
and modified it using my values exactly as the guide says but i still get the following error when i try to access my API
Bearer error="invalid_token", error_description="The signature key was not found"
Any ideas what might be wrong here ?
If you want to do some troubleshooting, you can drop the access token JWT into jsonwebtoken.io 232 and get the kid field from the jwt header. After you get the kid, you can check your authorization server’s keys by going to
https://[my okta org].com/oauth2/default/v1/keys
This will give you the list of public keys by ID. Hope this information helps you troubleshoot. Let me know if you still have problems!
Check a couple things for me:
1: Are you setting the issuer in your widget / auth js?
2. If you are, is the issuer the same as your default authorization server?
3. Double check that the [my okta url] is correct
I solved it by using the console application sample that Microsoft provided together with the Web API sample that microsoft provided as well , together they both work , i should't have tried to write my own code , its very tricky if you miss a tiny piece . One thing i want to add , Microsoft says using api://GUID format as a scope , that seems wrong , or did not work with me ,what worked is full url of the exposed API + /.default example
https://mydomain.onmicrosoft.com/myapiname , that works just fine .
I have a spark cluster on Azure DataBricks and I am trying to access Cluster Information via this Rest API https://docs.azuredatabricks.net/api/latest/clusters.html#get.
However, I am unable to figure out the correct way of using the personal token to authenticate.
Here are the possible combinations that I have tried and their result
Encoding the personal token in base 64 format "Token:[personal token]"
Using the personal token as it is
Using token id available from User Settings Screen
In all the cases, I am getting 401 Error.
Can someone please help in finding the correct way of using the token?
Token that you get is Bearer token so it would be as
Authorization: Bearer <token_here>
And with CURL
curl 'https://<databricks-instance>/api/2.0/clusters/get?cluster_id=<id>' -X GET -H "Authorization: Bearer <personal-access-token-value>"
There is no need for encoding or anything. It's already encoded.
I've seen a couple questions on this asked on StackOverflow, but none have helped me. I can not get past the 'invalid_grant' error when trying to do an Authorize Code Grant on my 1 admin user in Docusign Sandbox environment.
I have 1 user, who is a DS Admin in the dashboard
I created a new App and obtained the Integrator Key/client_id and Secret Key
Using the guide, https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-code-grant
I have successfully called and granted permission to the user with
https://account-d.docusign.com/oauth/auth?
response_type=code&scope=signature%20impersonation&client_id=INTEGRATOR KEY&redirect_uri=https://www.docusign.com
and obtained the code returned
I have taken the Integrator Key and secret key, in form INTEGRATOR_KEY:SECRET_KEY and base64 encoded it.
I have tried using Postman and just straight up cURL call to obtain the access token. I have done this numerous times, with numerous new Apps created in Docusign Sandbox. They all return invalid_grant error.
cURL call
curl --header "Authorization: Basic BASE64ENCODING(INTEGRATOR_KEY:SECRET_KEY)" --data "grant_type=authorization_code&code=CODE_RETURNED_FROM_PERMISSION_GRANT" --request POST https://account-d.docusign.com/oauth/token
It's possible that DocuSign isn't able to correctly interpret your request because you're missing a Content-Type header.
Try adding Content-Type: application/x-www-form-urlencoded
The Authorization Code you receive back from DocuSign is only good for a couple of minutes. If you try to use it after that time then you'll receive the invalid grant error.
Also, if you are doing the Authorization Code Grant flow then you should not be requesting the impersonation scope. -- It is only for the JWT flow.
I need to access a Web API which is secured via Azure Active Directory. I followed this documentation https://msdn.microsoft.com/sv-se/library/azure/dn645542.aspx
The first steps were successful, but at the end I can't access the required resource.
What I did:
First I call this link
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/authorize?response_type=code&client_id=3eec...32e5
and get redirected to the login portal.
After successful login I extract the code from redirected URL, which is something like this
https://localhost:8080/?code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA
Then I use this code to acquire an access token. The first problem is here. According to the documentation (link above) the resource is optional. But it doesn't work if I omit the resource (error=Resource identifier is not provided.), so I have to provide it. Secondly, if I put the APP ID URI of my application registered in Azure AD to the recourse parameter, I got another error ( The client '3eec...32e5' and resource 'myapp.azurewebsites.net' identify the same application.). Therefore I put the graph.windows.net for resource parameter.
curl -s -X POST https://login.microsoftonline.com/akeliusdev.onmicrosoft.com/oauth2/token
-d grant_type=authorization_code -d client_id=3eec...32e5
-d client_secret=F%2BfpjpR............Wi8%3D
-d code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA -d resource=https://graph.windows.net
This way I could get an access token. But then I am not able to access the resource using the access token. I did it this way:
curl https://myapp.azurewebsites.net/data
--header "Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJ.............4WYr6xn"
Could someone help me on this issue?
Thanks.
To do this as a service to service call, without user interaction, you can follow Service to Service Calls Using Client Credentials
You need to create an AAD application and credentials. i.e. a Service Principal.
then to get the access token you make a POST call to
https://login.windows.net/<tenant ID>/oauth2/token
with the following data
grant_type=client_credentials&client_id=$username&client_secret=$password&resource=$resource
Where $username is your HTTP://localhost/whatever identifier
$password is your service principal password
$resource is https://management.core.windows.net/ (this might be graph, try it and see)
The access token will be in the JSON response as 'access_token'
You then add a header of Authorization: Bearer $AccessToken and hopefully you should get access!