I have followed this link https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365 to
set-up the Daemon or Server Application to Web API authentication method in Office365 to get access token.
The sample access token request is given below
POST https://login.microsoftonline.com/{tenant-id}/oauth2/token
grant_type : client_credentials
client_id : {clientId}
client_secret : {clientSecret}
resource : https://{tenant}.sharepoint.com
For Example:
https://login.microsoftonline.com/cae788bd-7a55-4fb5-9d1f-3aa5365e14a/oauth2/token
grant_type : client_credentials
client_id : 1dd0a211-06f1-4f6a-a232-b3a8dcab829b
client_secret : ZWtkWm9M5Ucx5j29UoXPy7GKG+Hu0eNdVFYO+lH761w=
resource : https://{tenant}.sharepoint.com
From the above api request, I am getting an access token, when I tried to create the folder or accessing any other api's from the above access token then it is
showing an error as "Unsupported app only token". I have tried to call this webservices to get this error:
PUT https://{tenant}.sharepoint.com/_api/v1.0/Files/{parent-id}/children/{folder-name}
Authorization : BearerBearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE
Content-Type : application/json
Accept : application/json
But previously we have used the same Daemon or Server Application to Web API authentication method in Office365 to get access token and it was working fine.
And we have used the accesstoken to access the office 365 API's but now it is showing error as "Unsupported app only token".
Manoj,
I got the App-only working in a WPF application for the Mail API, did you setup the certificate?
According to the blog you mention
Because of the broad access these kinds of apps enjoy, there is an additional requirement for the app to successfully obtain an access token. Instead of using a client ID and client secret, the app must use an X.509 certificate with a public/private key pair.
See this link how to set it up:
Performing app-only operations on SharePoint Online through Azure AD
Related
I'm trying to query application insights via their REST API. I'm stuck on getting a token.
I have created an API key using the API Access blade in Azure Application Insights:
That gives you an Application ID and an API Key.
I have populated postman with the following:
url: https://login.microsoftonline.com/<Our Tenant ID>/oauth2/token
tenant: <Our Tenant ID>
client_id: <The Application ID from the API Access screen>
scope: https://api.applicationinsights.io/.default
client_secret: <The API Key from the API Access screen>
grant_type: client_credentials
All of this is taken from their documentation page here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
The error is as follows:
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier '<application ID from API Access screen>' was not found in the directory '<My Company Name>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 57f78a92-fe94-40e3-a183-e3002be32801\r\nCorrelation ID: 0ab8e3ec-655d-44aa-93fa-4d3941862d11\r\nTimestamp: 2022-11-30 15:04:20Z",
I checked with the Azure Admin for our company and I'm definitely sending this to the right tenant. Also he created another key for me so it's not that either.
Thanks.
I tried to reproduce the same in my environment and got below results:
I created an API key from API Access blade in Azure Application Insights like below:
When I tried to acquire the token via Postman with below parameters, I got same error as below:
POST https://login.microsoftonline.com/<TenantID>/oauth2/token
client_id: <Application ID from API Access screen>
grant_type:client_credentials
client_secret: <API Key from API Access screen>
scope: https://api.applicationinsights.io/.default
Response:
There is no need to generate token separately if you want to query Application insights using API key.
Without including token, you can directly query Application insights by including x-api-key header like below:
GET https://api.applicationinsights.io/v1/apps/{Application ID from API Access screen}/metadata
x-api-key: <API Key from API Access screen>
Response:
The process you are currently following works only if you want to authenticate your API via Azure AD. In that case, you can generate the access token by granting required roles and scopes to registered Azure AD application.
But if your requirement is using API key, you can run any query by simply including x-api-key header for Authorization purpose.
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
I am getting below error while connecting to Azure Active Directory
"AADSTS90009: Application 'xxxxxxxxxxxxxxxxx' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
If you want to use web application to call web API, please refer to the sample. The detailed steps.
Register your Web API application in Azure Portal. For more details, please refer to the document.
Register your Web app application in Azure Portal
Grant permission.(add you web API application in you web app application)
a. select you web application
b. set permissions.
Get access token
Method : POST
URL : https://login.microsoftonline.com/ [Directory ID]/oauth2/token
Headers
Cache-Control : no-cache
Content-Type : application/x-www-form-urlencoded
Body
grant_type : password
resource : Your App ID URI
client_id : [application id]
client_secret : [key value]
username : [account name]
password : [Password]
This error is saying that the field you provided in the resource parameter is requesting tokens for itself.
Alternatively, you can provide an app ID URI of a web API you've registered or another resource with scopes to get tokens for that resource (Microsoft Graph, Office API, etc).
The error information indicates that you are using Azure AD application url as resource.
As qwe mentioned that you need to use the WebApp API(Not Azure AD application) you wanted to access as resource. For more information please refer to this link.
POST https://login.microsoftonline.com/{tenantId}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={clientId}&client_secret={secret key}=&resource={resourceaddress}
Noteļ¼ If we want to use the OAuth 2 grant type: password, we need to registry Azure AD native application. For more information please refer to another SO thread.
I created a new mobile app to get consumed in my Xamarin.iOS app. My app doesnt have any registered user, all I need is to securely access the mobile app service api in my ios app.
After 10 hours of trying, I still couldn't figure a way to get his to work.
I've created a new mobile app, turned on Authentication / Authorization in setting(Azure Portal) and created a new Azure Active directory app.
I've secured my [MobileAppController] with [Authorize] tag.
To test I've requested a token
Method: POST
URL : https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token
grant_type : client_credentials
client_id : {one from AD section for the app}
client_secret : {one from AD section for the app}
I've received a token but using it to access(POSTMAN app)
https://mytestmobileapp.azurewebsites.net/api/values
with headers
Authorization : Bearer {token}
is giving me a
"message": "Authorization has been denied for this request."
Any help would be appreciated.
Thank you ...
I answered on my blog post but I am also putting this here for anyone to see.
Why do you want to call the endpoint directly? The SDK client should handle all of this (as seen on their tutorial: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-xamarin-ios-get-started-users/)
I do not think it is a good idea to re-implement the wheel by calling directly AD. There is a callback mechanism for the server to get that token from AD and I think this is what is missing here.
Have you looked at the examples at GitHub for Azure ActiveDirectory Library for ObjectiveC?
https://github.com/AzureAD/azure-activedirectory-library-for-objc
Some great examples and resources here that may help you :)
Ok finally after hours of terrible frustration I've found the answer. Thanks to the comments # https://github.com/Azure/azure-mobile-apps-ios-client/issues/14
I've setup Streaming logs and detailed error messages to figure out whats going on and I found this to be the error.
2016-01-18T20:06:31 PID[7448] Warning JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://quicktestmobileauthapp123.azurewebsites.net'. Did not match: validationParameters.ValidAudience: '8649d624-47ce-447f-9a5e-xxxxxxxxxxxx' or validationParameters.ValidAudiences: 'http://quicktestmobileauthapp123.azurewebsites.net'.
Then I realized I have to pass in resource when requesting the token.
My new token request
Method: POST
URL : https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token
grant_type : client_credentials
client_id : {one from AD section for the app}
client_secret : {one from AD section for the app}
resource : {clientId from the AD section}
Then token I've received from the above method worked fine without any issues. Azure streaming logs are amazing.
UPDATE
I've created a new question with answer going through a step by step explanation. How to add simple authentication to azure mobile/web apps with Azure Active Directory?
I've been trying to use the Azure Service Management API in order to list the Hosted Services with no success.
In the first place, I was able to set up the authentication using PowerShell as the Microsoft documentation states here: https://msdn.microsoft.com/en-us/library/azure/dn790557.aspx
My first step was to request an access token using OAuth2 making a POST request to this URL:
https://login.windows.net/<MY_TENANT_ID>/oauth2/token
and passing these parameters:
grant_type: client_credentials
client_id: <THE_CLIENT_ID_OF_THE_APP_REGISTERED_THROUGH_POWERSHELL>
client_secret: <THE_PASSWORD_OF_APP_REGISTERED_THROUGH_POWERSHELL>
resource: https://management.core.windows.net
so, I receive a valid response and an access_token included in the response. So far so good.
Then, I want to make a simple call to the Management API; I would like to list my Hosted Services (Cloud Services), so I make a GET request to this URL:
https://management.core.windows.net/<MY_SUBSCRIPTION_ID>/services/hostedservices
Including the following headers:
Authorization: Bearer <THE_ACCESS_TOKEN_RECEIVED_IN_THE_PREVIOUS_STEP>
x-ms-version: 2014-10-01 (I've also tested with different versions)
but, what I get is a 401 Unauthorized error, with the following message:
The JWT token does not contain expected audience uri 'https://management.core.windows.net/'
I also tried with a Native Application registered directly in the Azure Portal (with Permissions set to use the Service Management API) and requesting a token using the grant_type = authorization_code. I get the access_token correctly and a refresh_token, but when I try to make a request to the above URL, I get the same error message.
On a side note, I am able to use the Azure Insights API successfully; the issue above is with the Azure Service Management API.
Anyone knows what I am missing?
I faced the same problem today. Complete the resource url with '/' https://management.core.windows.net
See the mismatch between the url in your resource and the one in the error message 'https://management.core.windows.net/'