Develop Reference

Replicate Postman Oauth 2.0 using Python

I have this Authorization request that works.
How can I replicate it in Python?
I am using an Azure AD to authenticate the access.

Since you are working with python, your case is a : Oauth2 login for SSR web applications with Microsoft
Goal
Get an access_token from interactive login using the oauth2 authorization code grant
Steps
Here I will list all the steps required to do it with any language
Create a web with session with at least these endpoints
/ : home page
/callback : server route or path able to receive query params like /callback?code=123456. This along with your base domain will be called redirect_uri. Sample : http://localhost:8080/callback or http://acme.com/callback
Create and configure an app in Azure Dev Console. Same process is in Google, Facebook, Linkedin, etc. As a result you should have a clientId, clientSecret and a redirect url
Create a simple web with classic session in which if user is not logged-in, redirect (302) to this url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=foo&response_type=code&redirect_uri=foo&response_mode=query&scope=offline_access%20user.read%20mail.read
clientid and redirect_uri are important here and should be the same of previous step
After that, browser should redirect the user to the platform login
If user enters valid credentials and accepts the consent warning, Microsoft will perform another redirect (302) to the provided redirect_uri but with special value: The auth code
http://acme.com/callback?code=123456798
In the backend of /callback get the code and send it to this new endpoint
Add a client_id & client_secret parameters
Add a code parameter with the code sent by microsoft
Add a redirect_uri parameter with previously used and registered on azure. Sample http://acme.com/callback or http://localhost:8080/callback
Add a grant_type parameter with a value of authorization_code
Issue the HTTP POST request with content-type: application/x-www-form-urlencoded
You should get a response with the precious access_token:
{
token_type: 'Bearer',
scope: 'Mail.Read User.Read profile openid email',
expires_in: 5020,
ext_expires_in: 5020,
access_token: 'eyJ0oVlKhZHsvMhRydQ',
refresh_token: 's_Rcrqf6xMaWcPHJxRFwCQFkL_qUYqBLM71UN6'
}
You could do with this token, whatever you configured in azure. Sample: If you want to access to user calendar, profile, etc on behalf of the user, you should have registered this in the azure console. So the clientid is related to that and human user will be prompted with something like this
Libraries
There is some libraries provided by microsoft (c#, nodejs) which will save you a little work. Anyway the previous explanation are very detailed.
Advice
Read about oauth2 spec: https://oauth.net/2/
Read about oauth2 authorization code flow login before the implementation with python
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
https://github.com/msusdev/microsoft_identity_platform_dev/blob/main/presentations/auth_users_msalnet.md
Check this to understand how configure the azure web console: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Check my gist https://gist.github.com/jrichardsz/5b8ba730978fce7a7c585007d3fd06b4

Unable to access Yammer API using AAD tokens

I followed the procedure here https://techcommunity.microsoft.com/t5/yammer-blog/yammer-api-with-aad-tokens-postman-collection/ba-p/857923 to create an app in Azure Portal and configure it.
Then I called this api to get a token:
https://login.microsoftonline.com/[my tenant id]/oauth2/v2.0/token
I passed in a x-www-form-urlencoded the following parameters:
client_id = [my client id]
scope = https://api.yammer.com/.default
client_secret = [my secret]
grant_type = client_credentials
I get back a token, but it doesn't work with any of the Yammer api calls. For example, when I call
https://api.yammer.com/api/v1/messages/following.json
Passing in the token as bearer token, then I get back http 401 with the message:
No user id found for O365 JWT
What does it mean? what might be missing?

Azure AAD Token request on postman using App Registration

I am trying to use an App Registration to get a Token Bearer, but I don't have idea on how to do that using App registration. I have this in postman:

As far as I know, after you register an application (web,mobile app...) in Identity Server (Microsoft in this case), you will get client_id and client_secret --> This is grant-types: client-credentials https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
If you want to use grant-types: password, you also need client_id and client_secret to ask for access_token. https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

Your parameter is not assigned, and you need to select the Content-Type as: x-www-form-urlencoded, the complete request is as follows:

Access Web API(Nodejs) using ROPC Azure B2C flow (Without browser login)

I have Web API which is an NodeJs code. In Web API we have protect API using (passport.authenticate('oauth-bearer', {session: false}).
When generating token using ROPC app in postman, Access token is generated but at the time of authorization
var bearerStrategy = new BearerStrategy(options,
function (token, done) {
console.log(options);
console.log(token);
// Send user info using the second argument
done(null, {}, token);
}
);
This will return unauthorized.
I have added scope and configure Native and Web API as per document.

This issue was solved by #Sruthi comment, add it as the answer to close the question:
For login.microsoftonline.com, it is generally used to perform a
login request for Azure ad tenants to obtain tokens. For b2c
tenants, you need to use tenant-name.b2clogin.com to perform the
request.
Use ROPC flow to get access token:
POST https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token
username=<username>
&password=<Passxword>
&grant_type=password
&scope=openid+app_id+offline_access
&client_id=<client_id>
&response_type=token+id_token

(Moving from comments to Answer).
You can get access token using curl for ROPC curl -X POST -d "client_id=Clientid&scope=openid+appid+offline_access&grant_type=password&username=username&password=password&response_type=token" https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token'
As you are using old origin URL which is login.microsoftonline.com should no longer refer to your applications and APIs. Instead, use b2clogin.com for all new applications, and migrate existing applications from login.microsoftonline.com to b2clogin.com. Please refer to the official document

SharePoint Rest API how to get Access Token?

Just starting to work with SharePoint and Microsoft authentication and trying to get a SharePoint List into a JavaScript App. From Microsoft documentation, I need to use the following:
GET https://{site_url}/_api/web/lists/GetByTitle('List Title')
Authorization: "Bearer " + accessToken
Accept: "application/json;odata=verbose"
Have searched everywhere to find an definitive answer to how to obtain this accessToken. All the documentation I can find from Microsoft seem to be out of date. Does anyone know the current method to obtain an accessToken?

To call SharePoint specific APIs you need to get a SPO specific access token. You can "swap" an regular MS Graph refresh token for an SPO specific token by doing the following:
Get a delegated auth token from graph as you normally would
(https://learn.microsoft.com/en-us/graph/auth-v2-user)
Use the refresh_token you got and exchange it for an SPO access token by calling the auth endpoint again:
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
With the following form data:
client_id=<APP ID>
client_secret=<APP SECRET>
refresh_token=<REFRESH TOKEN FROM ABOVE>
grant_type=refresh_token
scope=https://<YOUR TENANT NAME>.sharepoint.com/Sites.Read.All
Take the access token and call the SPO API
You must ensure your app is registered with the correct permissions. In the case above the app must have Sites.Read.All for example.

You could refer to this article to get access token:
https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postman-tool/
Post https://accounts.accesscontrol.windows.net/<Tenant ID>/tokens/OAuth/2
Body:
grant_type client_credentials
client_id <Client ID>
client_secret <Client Secret>
resource 00000003-0000-0ff1-ce00-000000000000/<tenant>.sharepoint.com#<Tenant ID>
My test result:

There is not much documentation for SP API, but it still works. You may follow documentation to get token for Graph API by whatever type of authentication is suitable for your scenario, but instead of passing scopes for Graph API (which is "https://graph.microsoft.com/.default"), you should pass scopes for Sharepoint API which is "https://{your tenant name}.sharepoint.com/.default"
".default" will provide you the access with all permissions which was assigned in Azure AD - so also make sure, that Azure admin has granted you required API permissions for SharePoint API.
This will also work for MSAL.