I am implementing Oauth 2 authentication for Office 365 account in a java based server side application. After reading the documentation, I have done the following things:
I have office 365 subscription.
I have created an app in Azure
Actve directory, that is necessary to authenticate web app using
office 365 account.
I have client ID and secret. I have also
given all permission to the Azure app.
I am requesting authorization code using the Url:
https://login.microsoftonline.com/common/oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect url}&response_mode=query
As a response of this, I am getting authorization code as expected:
http://localhost:8080?code={authorication code}&session_state=259479e4-84aa-42ea-91e9-9e919cc99587
Now I need to get token along with the user name (user ID from which the user in logged in), as I need the user name for further processing. For this, I am using the method described here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
That is using a POST request like this:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p#ssw0rd
Now the problem is that, when ever I send this post request, I always get error with error code some times 400 or 402 etc. I also user POST man in chrome to check the response of the call. It always return error like that:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID. Send an interactive authorization request for this user and resource.\r\nTrace ID: b834315e-ccb3-4533-b7c9-4af7b34054b9\r\nCorrelation ID: 784f18da-5479-4b69-b939-0067abfcc460\r\nTimestamp: 2016-08-02 07:28:22Z",
"error_codes": [
65001
],
"timestamp": "2016-08-02 07:28:22Z",
"trace_id": "b834315e-ccb3-4533-b7c9-4af7b34054b9",
"correlation_id": "784f18da-5479-4b69-b939-0067abfcc460"
}
(Note: I have registered all the apps using administrator login)
I have tried a lot to find out whats is going wrong here. I have added multiple apps in Azure Active directory but I am always getting similar response.
I request professionals to help me. . . ! Actually I want to allow user to click on a button in office 365 web add-in and use oauth2 authentication to login to our system. It will be great in somebody suggest me some good tutorial to successfully implement this.
If you were requesting the access token for the Office 365, the resource parameter in the send request should be https%3A%2F%2Foutlook.office.com.
And also you can use the Microsoft Graph as Philip suggested. You can refer here about how to choose the endpoint.
Receiving the error codes "interaction_required" or "invalid_grant" error codes means there is an issue with the "Refresh token" and it advised to:
Discard current refresh token
Request new authorization code
Related
I have an API that uses Azure AD to provide access to resources. It has one scope api://{client_id}/Api.Read and following API permissions:
User.Read.All,
User.Read.
When I receive an access token from the AD it has only one aud - {client_id} and when I try to access Microsoft graph (e.g. https://graph.microsoft.com/v1.0/me) I get "Access token validation failure. Invalid audience." response as expected.
My question is - Is it possible to access both graph API and my API using one token and how do it?
I am exchanging current token to a "proper" token using on-behalf-of call: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Basically, you just make the following call (copied from the link above):
POST /oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com/<YOUR_TENANT>
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&requested_token_use=on_behalf_of
&client_id=<YOUR_CLIENT_ID>
&client_secret=<YOUR_CLIENT_SECRET>
&assertion=<YOUR_CURRENT_TOKEN>
&scope=<YOUR_NEW_SCOPES>
The response contains the new token to access the resources that are requested in the scopes. My scenario is not exactly yours, but I think this should work for your case as well. You need to make this call server-side.
This assumes that the user has already consented that your app is okay to use <YOUR_NEW_SCOPES>, or otherwise this call will result in "interaction_required" or "invalid_grant" error (something like this, don't remember the exact error name) that basically means you need to raise UI prompt for the user to agree to the new scopes (how to do that is another question)
I'm trying to integrate the MS Teams API in a Web-App.
First of all i was trying to use the MS API from Postman to see the workflow.
On the Azure UI i have succesfully created an App-Registration: i have my ClientID, TenantID and i have created also the client secret.
I downloaded the Postman API from https://github.com/microsoftgraph/microsoftgraph-postman-collections and i can retrieve the App-Only Access token.
I created two users in a group and i logged them on MS Teams Application, they can chat.
I can also get the User Access Token and endpoints such
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/me
etc..
are correctly working.
I am passing the User Access Token as Bearer token for the request.
These are the API permissions i gave:
I am having issues with the endpoints in the folder Events like:
https://graph.microsoft.com/beta/me/findRooms
https://graph.microsoft.com/v1.0/me/calendars
etc..
They all give the same error:
{
"error":{
"code":"NoUserFoundWithGivenClaims",
"message":"The user specified by the user-context in the token does not exist.",
"innerError":{
"oAuthEventOperationId":"08e3abc3-3fdf-4d85-849d-7632ac0723d2",
"oAuthEventcV":"CGW24oLIeEW1qoscgMIMTw.1.1",
"errorUrl":"https://aka.ms/autherrors#error-InvalidUser",
"requestId":"8e6cb242-17fe-4a94-8c89-912606578fb3",
"date":"2021-03-09T12:04:27"
}
}
}
I haven't found anything about this error.
Can someone help me?
Thanks.
You can check your bearer token by putting it in jwt.ms and see if you have the required permissions in 'scp' claim.
If you are getting MailboxNotEnabledForRESTAPI then you need to check if you have the proper exchange license or not.
You can add license by going into Microsoft Admin Center -> Users -> Active Users -> Select your user -> Licenses
I am using Microsoft Graph Postman Collections to test common Microsoft Graph APIs from within Postman. However, I am stuck while trying to fetch user access token
Below is the request
POST /7c69806f-5754-488f-9dd8-7daa8afea4fd/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
cache-control: no-cache
Postman-Token: ac512133-5afe-47a3-ae9b-3b6c0b510ebd
grant_type=passwordclient_id=ebbe4872-5b7187-de6d6ddf7301client_secret=g99p8DWoxdUPY-%3F%40%5Bv7kt2g4BMxGscope=https%3A%2F%2Fgraph.microsoft.com%2F.defaultuserName=rohitdhamijagmail.onmicrosoft.compassword=Zcost%4080
On trying "Fetch user access token" POST API, I get following error:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account rohitdhamijagmail.onmicrosoft.com does not exist in the 7c69806f-5754-488f-9dd8-7daa8afea4fd directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: c0e97dd8-053d-4c99-81e4-354d7ae7d500\r\nCorrelation ID: 7e67450e-3054-48bc-b808-2f6277093dac\r\nTimestamp: 2020-03-03 09:38:09Z",
"error_codes": [
50034
],
"timestamp": "2020-03-03 09:38:09Z",
"trace_id": "c0e97dd8-053d-4c99-81e4-354d7ae7d500",
"correlation_id": "7e67450e-3054-48bc-b808-2f6277093dac",
"error_uri": "https://login.microsoftonline.com/error?code=50034"
}
The user account does show under my tenant in Azure , below is the image attached
What can be the issue?
Note: I have configured the global environments properly, since I am able to use other API's like Get User info etc.
Your Request Should be Like this.
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
client_id:b603c7be_Client_id_e61f925
scope:https://graph.microsoft.com/.default
client_secret:NpmwO/KDJ_client_secret:NpmwO_W0kWf1SbnL
username:tenentUser.onmicrosoft.com
password:YourUserPassword
grant_type:password
See the screen shot:
I am getting token as expected
Step: 1
Step: 2
Step: 3
Note:
Make sure your user belong to azure portal on your tenant
Your Client Id belongs to that tenant
Application secret is valid or not expired.
Update: How to get Tenant Id
For more information you could refer Official document
Hope that would help.
I tried the same and it worked for me without any issue, couple of points that can be looked at are,
Either the app must be registered under same active directory OR it has multi-tenant enabled like below, Authentication
The app should have following permissions, Permissions
I just updated user name and password in postman call and my account is also on yourdomainhere.onmicrosoft.com Postman
I'm trying to get the users basic profile from Azure AD. I have a React Native app authenticating against a Native Azure AD App registration. The access_token I got from that request is used to authenticate against a Web app / Api. The user is shown the propper consent screen with the permissions I set in Azure AD.
Microsoft Graph API
Read all users' basic profiles
Sign in and read user profile
Windows Azure Active Directory
Read all users' basic profiles
Sign in and read user profile
(added both Graph API & AAD because I didn't know which one to use)
When I try and get the users profile through https://graph.microsoft.com/v1.0/users/me, with the access_token gotten from the previous request I get:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "00cdb708-bcf8-4b33-af21-14a046b16533",
"date": "2018-09-02T18:28:59"
}
}
}
The resource in my initial authentication request is the Web App / API's app id, and I don't think having 2 resources is an option (?).
What am I doing wrong, and what should I do to fix it? Thanks.
According to your descriptions, I assume you want to get the users profile, but get the error shows an invalid token.
Based on my test, the request URL that you posted is not correct.
It should be 'https://graph.microsoft.com/v1.0/me' or 'https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}'.
We can trouble shoot your problems as follows.
First, check request, if it has correct 'Authorization' field. This document shows that we need the Authorization field in the request headers.
Second, if you have added the Authorization field in the request headers, could you provide the main code that we can identify if problem is from there ?
While getting the access token add "resource" : "https://graph.microsoft.com/" and use that access token in header with Bearer than hit the url ---> https://graph.microsoft.com/me?api-version=1.6
Don't forget to add the resource while getting access token
Thank me later :P
Good day!
We need a calendar facility for the project that we're working in right now. For some reason, we are limited to using the Office 365 calendar or the outlook calendar. We stumbled upon the Microsoft Graph APIs which seems to be the right tool to fulfill what we want to do. So the idea is to create a Microsoft account which will be used as the main calendar where our wrapper(wrap the microsoft graph API calls) API can pull events from and eventually disseminate to client requests.
So here is what we've done so far:
Created a Microsoft account with the domain of #outlook.com
Plotted some calendar events using the said Microsoft account
Tried to follow this guide from the Microsoft site.
We agreed to create a wrapper API which will call the Microsoft Graph APIs but before this we tried to access the said APIs via postman. The problem is that postman cannot get any response from the endpoint of the /authorize API which is need to gain an access token to finally call the respective Microsoft graph APIs.
Now we do not know if we are trying to attack this wrongly or whatever. Do you have any idea what we are missing here? Thanks in advance and I hope someone can shed light in this matter.
UPDATE:
We were able to have some progress. After some time, we bumped in the azure active directory portal. We are now able to get an access token using this URL.
https://login.microsoftonline.com/<directory-id>/oauth2/token
Now when we are accessing the actual MS Graph API endpoint that we are supposed to call, we are receiving a 401 Unauthorized response even though we are using the obtained token from the previous API call. This is the URL that we are trying to get a response:
https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
This is all being done via postman first.
UPDATE:
We tried to grant every permission possible in the Azure Active Directory portal and confirmed the consent at
https://login.microsoftonline.com/<domain>.onmicrosoft.com/adminconsent?client_id=<client-id>
but unfortunately we're still hitting the 401 Unauthorized wall. In Microsoft Graph Explorer, everything is working fine. So what could be missing in our postman implementation that MS Graph Explorer is doing implicitly? Thanks in advance for any help!
UPDATE
After further reading, we've found out some important details. First, we've found out that there are two sets of APIs from Microsoft. One is the Azure Active Directory API and the other is the Microsoft Graph API. Both APIs use the same URL to get access tokens by using client credentials. Below is the URL:
https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token
Substitute the with your personal data from azure portal. Using this URL to get an access token, you need to supply some data in the request body.
client_id - client id of registered application in azure portal
client_secret - secret key of registered application in azure portal
grant_type - 'client_credentials' --> meaning you'll get an access token by using client credentials
scope - 'https://graph.microsoft.com/.default' or 'https://graph.windows.net/.default' --> this controls which API are you going to access. The first one is to access Microsoft Graph API and the other is to access Azure Active Directory API.
We are now able to get an access token and use it to access the actual API that we need. Below is the URL of the said API:
https://graph.microsoft.com/v1.0/users/<azure-tenant-name>.onmicrosoft.com/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
Notice that the URL does not use /me because upon reading using it required a signed in user. Unfortunately we are still getting the 401 Unauthorized error but the errors did change now. We are getting to errors intermittently. Sometimes the API call would return one or the other alternately. Below are the return of the API calls.
{
"error": {
"code": "InvalidTenant",
"message": "The tenant for tenant guid '<directory-id-goes-here>' does not exist.",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:29:27"
}
}
}
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:54:11"
}
}
}
We feel we've moved a step forward. We're still not getting what we need though. Now the mystery are these 2 API call responses. What could be the reason of this? Thanks in advance for anybody's help
UPDATE
Upon even further reading we've discovered that there are authentication flows to get an access token. Depending on the API that you want to call, some authentication flows will not work on it because they need more details and security to execute themselves. So we've tried:
Client Credential Grant
Resource Owner Credential Grant
Authorize Code Grant
But still, unfortunately, we are still stuck in the previous error. We are getting 401 Unauthorized and the response payload is either InvalidTenant or UnknownError.
I just went through a similar problem yesterday, the 401 Unauthorized error.
I was trying to access the calendar of an employee via Microsoft's Graph API, but I was receiving the same response as you.
Resquest:
https://graph.microsoft.com/v1.0/users/employee-email/calendarview?startdatetime=2018-10-21T00:00:00Z&enddatetime=2018-10-27T23:59:59Z&$select=subject,categories,start,end,sensitivity
Response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<request-id>",
"date": "<date>"
}
}
}
Then I decided to check if had the Office 365. He didn't. I'm just a developer, so I ask the guys from infrastructure to install Office 365 on the empleyee's machine, or add him to an enterprice account, or something like that.
After they finished, the requests to his calendar worked just fine :)