I need to access a Web API which is secured via Azure Active Directory. I followed this documentation https://msdn.microsoft.com/sv-se/library/azure/dn645542.aspx
The first steps were successful, but at the end I can't access the required resource.
What I did:
First I call this link
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/authorize?response_type=code&client_id=3eec...32e5
and get redirected to the login portal.
After successful login I extract the code from redirected URL, which is something like this
https://localhost:8080/?code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA
Then I use this code to acquire an access token. The first problem is here. According to the documentation (link above) the resource is optional. But it doesn't work if I omit the resource (error=Resource identifier is not provided.), so I have to provide it. Secondly, if I put the APP ID URI of my application registered in Azure AD to the recourse parameter, I got another error ( The client '3eec...32e5' and resource 'myapp.azurewebsites.net' identify the same application.). Therefore I put the graph.windows.net for resource parameter.
curl -s -X POST https://login.microsoftonline.com/akeliusdev.onmicrosoft.com/oauth2/token
-d grant_type=authorization_code -d client_id=3eec...32e5
-d client_secret=F%2BfpjpR............Wi8%3D
-d code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA -d resource=https://graph.windows.net
This way I could get an access token. But then I am not able to access the resource using the access token. I did it this way:
curl https://myapp.azurewebsites.net/data
--header "Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJ.............4WYr6xn"
Could someone help me on this issue?
Thanks.
To do this as a service to service call, without user interaction, you can follow Service to Service Calls Using Client Credentials
You need to create an AAD application and credentials. i.e. a Service Principal.
then to get the access token you make a POST call to
https://login.windows.net/<tenant ID>/oauth2/token
with the following data
grant_type=client_credentials&client_id=$username&client_secret=$password&resource=$resource
Where $username is your HTTP://localhost/whatever identifier
$password is your service principal password
$resource is https://management.core.windows.net/ (this might be graph, try it and see)
The access token will be in the JSON response as 'access_token'
You then add a header of Authorization: Bearer $AccessToken and hopefully you should get access!
Related
I have some company website providing some information protected by azure AD.
This works fine in the browser, but I would like to create some automation on command line.
If I copy the JWT from the browser and use it in the Authorization: Bearer header, I can also access that information perfectly fine.
I was also able to use az login to prove my identity on the command line.
What is the correct way to get a suitable JWT on command line in order to access the information?
I was thinking of something like:
az login
token=$(az ad get-new-jwt-token)
curl -H "Authorization: Bearer $token" myinfosite.company.com
If there is a better/different solution, I am open to that, too.
You are almost there. If you want to do this via CLI then it would be like below
login
set the subscription
get the access token
az login
az account set -s "<your-subscription-id>"
az account get-access-token
After that you would get your Bearer token
I have a backend process that doesn't directly interact with the user. I want to access reservations associated with my Azure account but I'm having trouble with the authentication step. I was following the guide here and I managed to get the authentication request to work by calling
https://login.microsoftonline.com/{tenant-ID}/oauth2/token
as a POST with the following x-www-form-urlencoded body:
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=http://myapp42
However, when I attempt to call:
https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
with the bearer token I received during the authentication step, I get the following error message:
The access token has been obtained for wrong audience or resource 'http://myapp42'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/', 'https://management.core.windows.net', 'https://management.azure.com/', 'https://management.azure.com'
However, if I modify the resource on the request to be one of these, http://management.core.windows.net/ for instance, the authentication then fails with:
AADSTS500011: The resource principal named https%3A%2F%2Fmanagement.core.windows.net%2F was not found in the tenant named {tenant-ID}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b54cedea-3804-41cf-bd27-fcf0ed1c4700\r\nCorrelation ID: 2371d375-6c89-4f05-83c9-c4629b3340a8\r\nTimestamp: 2020-02-05 01:59:57Z
How do I authenticate so that I can then get my reservations without having to login?
Update:
The service principal has both the Owner and Contributor roles assigned.
Update 2:
Thanks to #Jim Xu, I was realized that I needed to refrain from url-encoding the URL. That allowed me to get the access token with a value of https://management.azure.com/ for the resource field. However, at this point, when I attempt to call the REST API with the resulting bearer token, I get the following error:
The client '{Object-ID}' with object id '{Object-ID}' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/reservations/read' over scope '/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}' or the scope is invalid. If access was recently granted, please refresh your credentials
Note: The object ID returned by this error is the one associated with the service principal.
Update 3:
I checked the reservation and it seems that the principal does not have a role in that reservation's access control. However, I also cannot assign the principal a role because it does not show when I search for principals during the role-assigning process.
If you want to call Azure Rest API to get the information of reservation Orders, you need to assign Owner\Contributor for the service principal.(the action needs Microsoft.Capacity/reservationOrders/read permission).
The steps are as below
Get access token
POST : https://login.microsoftonline.com/{tenant-ID}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=https://management.azure.com/ or https://management.core.windows.net
Call the api
GET : https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
Authorization: Bearer <token>
For more details, please refer to the issue and the issue
update
If you have assigned role but you still cannot get access token, please try to encode your url.
I have created a resource for Azure API for FHIR Server. I am able to get see the metadata information using the URL like https://fhir-server-url/metadata. As mentioned in the documentation https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial to access other URLs like https://fhir-server-url/Patient, we need to get the Authorization token first. To get the authorization token we need ClientID which we can get by creating an application in Azure Active Directory. But I don't have access to it.
Is there any way I could access this URL without requiring the authorization token? By making some setup in Azure Portal.
If you are using the first party audience (e.g. https://azurehealthcareapis), which is the default when deploying the Azure API for FHIR, you can actually use a first party client application such as the Azure CLI to get a token. Check https://learn.microsoft.com/azure/healthcare-apis/get-healthcare-apis-access-token-cli for details.
First log in with the Azure CLI (https://learn.microsoft.com/cli/azure/?view=azure-cli-latest) :
az login
Get a token and store it
token=$(az account get-access-token --resource=https://azurehealthcareapis.com | jq -r .accessToken)
Use the token:
curl -X GET --header "Authorization: Bearer $token" https://<FHIR ACCOUNT NAME>.azurehealthcareapis.com/Patient
It looks like from the FHIR Server Doc you can turn this on or off based on the FhirServer:Security:Enabled config setting see https://github.com/microsoft/fhir-server/blob/master/docs/Authentication.md
"FhirServer" : {
"Security": {
"Enabled": true,
"Authentication": {
"Audience": "fhir-api",
"Authority": "https://localhost:44348"
}
}}
One way is to get your app registration in Azure Active Directory(AAD).
You would need two app registrations in AAD to get client Id & client secret for authorization token retrieval.
I am a little confused by Microsoft's scattered documentation.
I have created an application (https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal), which means I now have:
Application ID
Key
Directory ID
I have gone into the KeyVault in Azure Portal, and I have granted permissions to the application.
For test purposes, I am trying to run a test via CURL. The basis I am using for this is the following Microsoft pages (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token and https://learn.microsoft.com/en-us/rest/api/#create-the-request)
So, the first thing I do is get a token through the following call:
curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>" https://login.microsoftonline.com/<removed_for_security>/oauth2/token
This returns a token.
I then (try to) use that token as follows:
curl -H "Authorization: Bearer <removed_for_security>” -vv https://<removed_for_security>.vault.azure.net/secrets/<removed_for_security>/<removed_for_security>
I get no content back, just "HTTP/1.1 401 Unauthorized"
You need to specify the resource you are requesting the token for.
curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https://vault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token
and also add the api version.
Ok, so I can confirm that the request you are doing is valid, for the most part, you forgot the API-version, but problem is not with the API version (it would tell you that).
https://xxx.vault.azure.net/secrets/xxx/?api-version=2015-06-01
this url works, so I guess the token is not right. The easiest way to check would be to go to JWT.io and paste the token there and see the contents, if they match with what the Key Vault expects. Probably you have a mismatch.
I am stuck with the authentication to use the REST API for getting subscription billing information from Resource Usage API
I would like to get help with how to obtain token for non interactive clients. I chose to use the REST API since azure client seems to not support Resource Usage API.
As the Authorization code grant (interactive clients) describes , I have called the request with my subscription id but token is not returned properly.
[root#visual src]# curl -XPOST https://login.microsoftonline.com/xxxxx/oauth2/token -d ""
{"error":"invalid_request","error_description":"AADSTS90014: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: 32981285-a021-45c3-8d2f-62db49d2c2f1\r\nCorrelation ID: d88849dd-20f9-462e-9ce9-66b6fde0170e\r\nTimestamp: 2017-03-04 04:06:44Z","error_codes":[90014],"timestamp":"2017-03-04 04:06:44Z","trace_id":"32981285-a021-45c3-8d2f-62db49d2c2f1","correlation_id":"d88849dd-20f9-462e-9ce9-66b6fde0170e"}[root#visual src]#
How can I obtain the token?
A token will not be returned if you don't supply some credentials :)
If you want to do a non-interactive request with client credentials for example, your request must contain (in URL-encoded form format):
grant_type=client_credentials
client_id=your-app-client-id
client_secret=your-app-client-secret
resource=resource-uri-for-api-you-want-the-token-for
The resource URI could be for example https://graph.windows.net/ for the Azure AD Graph API.
You can also get tokens with the password grant if you wish to use a username and password. In that case, you must send:
client_id, client_secret and resource as above
grant_type=password
username=your-username
password=your-password