Azure Active Directory B2C: how to refresh a token - azure-ad-b2c

Currently I try to implement user authorization into an iOS app. Therefore we use Active Directory B2C.
Everything works fine, except the refreshing of my expired tokens. I call the request url (fabrikamb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in) to get an access_token and a refresh_token. The response seems to be valid and the access_token works very well as long as it's not expired.
But if I want to get a new token (like it is described here: OAuth 2.0 authorization code flow; see chapter 4) the request just gets responded with a 400: Bad Request.
I can't find out, what I am doing wrong. Do you guys now a way, how to debug these requests or have some kind of checklist what needs to get configured within the Azure portal?
Thanks!
Edit: this is the request I am using:
POST /xxx.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_local-account-signupin HTTP/1.1
HOST: login.microsoftonline.com
content-type: application/x-www-form-urlencoded
content-length: 1148
client_id=xxx&refresh_token=xxx&grant_type=refresh_token&redirect_uri=urn:ietf:wg:oauth:2.0:oob

Thanks everyone for trying to solve my problem! It came out, that the refresh_token I was using was invalid. So if you are sure, that the request is correct, and you get just a Bad Request response, check the parameters one more time.

I believe you need to specify a value for the scope parameter. The scope parameter is used to inform B2C which resource you are requesting a token for. At this time you'll most likely want to use scope=<client_id> or scope=openid.

Related

Azure AD not working with spring-boot webflux

I am trying to integrate Azure's AD in my spring-boot app. I have pushed the project onto github (https://github.com/praveenk007/azure-ad).
The authorization code is generated and redirected to below redirect URI:
https://localhost:8081/login?code=OAQABAAIAAAAm-06blBE1TpVMil8KPQ41GNiib9Q4VuBeBjtPhyypfg50XD6swPFt4jE4G1sEaG0zuxgPdGnS43ygiZ2dZB7nxuaXSnbqMzEtdEbMiKmTlYb343BpHOD2xL0dpkkTZQk8kesIwjzzE7B3aHG7xFEhITzuBsctrbBadsUuykNdVq8CCRIYQHuxwSA2g59LDoRrJPbGncKtfDgoMNUxPk0gpJwxCf4KttbA3qe8BTXweYdYaZ5mJs2x2blY3hTVId9PDEFGS_XULvHMAMR3Q6af_B2T2TwLlOKufVYcX6R5nQTaYtpSQXqrCd2TYbBZ8Oj-B4lKpw1Ds6OC6R-wvFR6TpWRNlqzItaE0I3KlKTN5EFDso74A2Ky1B52waG5FCwWSwD4-kchKl-IEBRgPUd5UzHOlHECs_TZQpvwvMtek-4IYe0ErgvP1b3S8_qDh9ALsyNYLtdRJXaBfaXi7wGZKoiPIu3PTLExAMdYscHCJ5YaK5jx-bgkX1FrHdOjxXrgjnoo6tE-jCrRBVi9xGpK23PLOpSkj38Rm2-SpjAhpzKpZZSnKFkIWUZ9ZzRX4PFrTo3Zp7BE_VcFqxU1F5AEFyj8KpH0I6QOvtjLHLIHMSAA&state=CvSY3DNRqCWUYPA6V51nJa3cpvzxCUu_JKfMgsOInFA%3d&session_state=442a62c2-8534-4412-8368-e87a4afbd88d
But I see this login page again:
I didn't see any calls to fetch token in the debug logs. Ideally the framework should have handled that flow.
I have another project which is non reactive and that works without any additional code.
Tried searching online, but there are no documents on integrating azure in reactive environment.
Kindly help me fix this.
You are trying to implement Code Grant flow. This flow needs to implement two requests in order to get the token. The first request is to get the code and the second request is to get the token with the help of code we got from the first request.
So, You have successfully completed the first request. You need to pass the code you have got in the above image you have shared as a post request to the Authentication Server to get token. Please go through Microsoft Document for more details.
The second request which helps you to get token looks like below
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
Ok. I figured this out. The redirect-uri was incorrect. Changed to https://localhost:8081/login/oauth2/code/azure and it worked.
Thanks.

"www-authenticate →Bearer" with Unauthorized 401

I am trying to use Microsoft SSO with Azure Active Directory to authenticate users and also authorize API access. But I am stuck with token validation at the time of accessing the API. I get 401 Unauthorized
error with below response header
content-length →0
date →Tue, 28 Jan 2020 04:49:20 GMT
server →Kestrel
www-authenticate →Bearer
What is the cause of this error? I am using postman to hit the API with the token. The token is valid on jwt.io but still I am not able to access the APIs.
Below is the token:
token at jwt.io
Please help! Thanks.
I was running into this problem, where I had to sort out "invalid issuer" and then just got a plan "www-authenticate: Bearer" 401.
To solve it, I had to call app.UseAuthentication() before app.UseAuthorization() in Startup.Configure() for my API app. After that it would go through.
It might be nice if that were mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration.
My thought is that the application needs to authenticate you before it can tell if you should be authorized or not, so if that's not there it will fail authorization.

After logout previous captured request still valid in azure ad authentication

We are facing issue on logout from our application. Once we logout then its perfectly fine from browser but if we capture the request from some tools (fidler or burp) and send the request again to server with old cookies and session details give full response. This is only possible through any interceptor tool only. I am using the below code to logout from application:
Session.RemoveAll();
HttpContext.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);
This is happening because access token and refresh tokens issued by Azure AD are not deleted when you initiate the log out from your application. As long as these tokens have not expired, they can be used.
Based on this, access token lifetime is configurable (default I believe is 1 hour) and you should set it based on your needs.
Also, there's a feedback post regarding invalidating tokens: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19474918-invalidate-jwt-token. Feel free to upvote this feature.

401 Unauthorized response for access_token in the developer sandbox

I'm using developer sandbox to make all my api calls.
It's website build with laravel 5.2
All api calls are made with guzzle/guzzle.
I'm trying automate sending pdf contracts (creating envelopes) using docusign api.
I followed steps from Using the Authorization Code Grant
I had no problem with:
Starting the Authentication Code Grant
Handling the Response
Exchanging the Code for a Token
Getting the User’s Account and Base URI Information
After I get userinfo, there is only one account, so I used that accounts base_uri for all subsequent api calls
{base_uri} + "/restapi/v2/accounts/" + {account_id}
In all my subsequent api calls I'm also adding header
Authorization: Bearer eyJ0eX...MrhIddzBAQ
where I'm using access_token that I've got in step Exchanging the Code for a Token
When doing a create envelope api call, or any other api call, using access_token, base_uri and account_id I get
POST https://demo.docusign.net/restapi/v2/accounts/<account_id>/envelopes resulted in a 401 Unauthorized response
What I tried
Test using the access_token in docusign API explorer:
I went to API EXPLORER - create envelope
I used Authenticate using Sandbox Account to authenticate with the access_token that I've got in previous calls to docusign. Same for the account_id.
When I click on SEND REQUEST, I get 401 Unauthorized response again.
When I use Authenticate using Sandbox Account, but this time I click on Get OAuth2 token (that generates new token), and I click on SEND REQUEST, I get success message.
Then I copied this access_token (from Request) into my website to test the api call, and this time it worked. It also worked for all other api calls that I was making to docusign.
So, using access_token that I get after Exchanging the Code for a Token, I get 401 Unauthorized for api calls
When I use access_token that I generated in API explorer, all api calls to docusign work in my website.
What I also tried
Use refresh_token to get new access_token. Still 401
Xdebug, going step by step to make sure that all params/headers are set before api call. They are, and they are the same as api explorer.
Guzzle option debug => true to get more information about the request, and to compare with what's sent in API EXPLORER, and they are basically the same, except the tokens.
Postman to make request to api, (just to eliminate any chance that I have errors in my code), with same behavior:
401 with token that I get from docusign
success when using API EXPLORER generated token
I'm kinda lost on what to do next and how to solve this, I'm sure it's something simple, but I can't seem to locate the problem.
Update
I used Larry K's answer and found that my problem was with the scope value in /oauth/auth call. I changed it to scope=signature%20extended, and everything works perfectly!
When you click the Get OAuth2 token in the API explorer, you are going through the complete Authorization Code Grant flow, including the new token.
Since this works, but the token your app obtained via the OAuth Authorization Code flow doesn't work, this tells me that your app has an issue.
Check:
Logout from DocuSign. Login from your app. Are you transferred to DocuSign to log in correctly? And then redirected to your app?
Are you requesting the "signature" scope in your request? Check spelling and capitalization of the scope name!
When you're redirected to your app, your app receives the authorization code as a query parameter. Do you get it ok?
When you convert your authorization code to a bearer token are you storing the complete bearer token? It is quite long.
When you send your Envelopes::create request, are you including a space between the word Bearer and the token itself?
Are you making your API call to demo.docusign.net (not .com)
If the above doesn't help, then please update your question (you can edit your question itself) with a trace of your request.

ERR_TOO_MANY_REDIRECTS error in response of Azure AD v2.0 authentication

I'm using Microsoft Graph to access a user’s Microsoft account data from within a Node.js web application, to call rest APIs. But once authentication done, instead of return to ReturnURL, I'm getting ERR_TOO_MANY_REDIRECTS in the browser.
Below is the Node application, I'm using:
https://github.com/microsoftgraph/msgraph-sdk-javascript
As I see, it seems like some how access token is conflicts and due to that passport is not able to authenticate my requests.
Can someone please help me out here, where I'm missing here. I didn't make any major changes in the app.
Please let me know if someone need more info.
Thanks.
I've seen a couple of examples of this occurring. It's hard to tell exactly what is happening from the limited information you've provided but here are some examples of what I've seen in the past:
redirect_uri pointing to an endpoint that automatically redirects the user back to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?. This results in an infinite loop.
redirect_uri is returning a HTTP 3xx status indicating a redirect (301, 302, 303, 307, 308).
redirect_uri is pointing to a page that checks for an authenticated user. Since the user hasn't authenticated yet (you've got an authorization_code but not an access_token yet) it triggers the authentication workflow again.

Resources