I'm trying to use Project Server 2013 REST APIs with Windows Azure access tokens but getting GeneralSecurityAccessDenied error.
I have register my app in Azure AD on the Management Portal to get client_id, redirectUri.
The permissions to the application are “Office 365 SharePoint Online” and “Windows Azure Active Directory”.
I’m calling the authorization endpoint in the following URL, is this correct?
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id= &redirect_uri=&resource=https://.sharepoint.com
Then I’m calling token endpoint URL
https://login.windows.net/common/oauth2/token with the following parameters
grant_type is authorization_code
code is “Access Code Returned from the first call”
redirect_uri is <MY URL>
resource is https://<mytestdomain>.sharepoint.com
This gives me Access Token and Refresh Token, but when I use the Access Token to do something it gives me the error “GeneralSecurityAccessDenied”
My POST request is
https:// <mytestdomain>.sharepoint.com/sites/pwa/_api/ProjectServer/Projects/Add
Authorization is Bearer <Access Token>
Content-Type is application/json;odata=verbose
The request body is
{
'parameters' : {
'Name':My Test ',
'Description': Test Project',
'Start':'1/28/2015'
}
}
The Error response is follows.
{
"error": {
"code": "20010, Microsoft.ProjectServer.PJClientCallableException",
"message": {
"lang": "en-US",
"value": "GeneralSecurityAccessDenied"
}
}
}
Related
I am Trying to automate the approval of Pull request from logic app using "Send a HTTP Request to DevOps" action. Getting below authentication error.
Tried below options but nothing worked.
Created new PAT with Full Access and passed to header.
Enabled "Third-party application access via OAuth" in org policies
Tried Basic, Bearer authentication
Error: { "status": 401, "message": "TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\r\nAzure DevOps ActivityId: abcd1234-ac34-ac34-abcd1234\r\nDetails: {\"$id\":\"1\",\"innerException\":null,\"message\":\"TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}\r\nclientRequestId: abcd1234-ac34-ac34-abcd1234", "error": { "message": "TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\r\nAzure DevOps ActivityId: abcd1234-ac34-ac34-abcd1234\r\nDetails: {\"$id\":\"1\",\"innerException\":null,\"message\":\"TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}" }, "source": "vsts-eus.azconn-eus-003.p.azurewebsites.net" }
You need to make sure you encode the PAT to base64 with no username when using basic auth in Azure DevOps.
I am trying to make a POST request to the Microsoft Graph Search API endpoint https://graph.microsoft.com/v1.0/search/query using a token obtained from a managed identity with the "Sites.Read.All" permission on the Microsoft Graph API.
However, I am receiving a 401 Unauthorized response. What could be causing this issue?
The problem was in what Oxymoron suggested, "roles" was missing in the bearer token. The solution was to change resource="https://graph.microsoft.com/" to "https://graph.microsoft.com" (without the slash) when requesting the token from the AAD.
Also apparently only delegated permissions work right now on v1.0 Graph Search (Source: https://learn.microsoft.com/en-us/graph/api/search-query?view=graph-rest-1.0).
The request does work in the Beta version:
POST https://graph.microsoft.com/beta/search/query
Content-Type: application/json
{
"requests": [
{
"entityTypes": [
"listItem"
],
"query": {
"queryString": "contoso"
},
"region": "NAM"
}
]
}
I have an API which has Authorization has bearer token. I tested in post man and it's working. However, it's not working when I used web activity in the ADF.
I am passing the url in the URL section. Created new header, typed Authorization and gave value "Bearer token"
Getting below error
Error
Troubleshoot activity failures
{
"errorCode": "2108",
"message": "{\"error\":{\"type\":\"invalid_request_error\",\"message\":\"Request forbidden by administrative rules. Please make sure your request has an acceptable User-Agent header.\",\"documentation_url\":\"https://developer.dentally.co\"}}",
"failureType": "UserError",
"target": "Web1",
"details": []
}
Can anyone please advise?
I reproduced the same in my environment. I successfully generated a bearer Token with Postman.
To solve the above error code:2200. Please follow the below approach.
I used the same URL with web Activity and generated a bearer Token in the Azure data factory.
Generate bearer Token as shown below:
Connect Web activity 2 with newly created Web1 activity
Add dynamic expression : Bearer #{activity('Web2').output.data.Token}
Output:
Reference:
Sample Rest API URL for testing with authentication by Ashok Patel
I'm trying to do postman access token request to reach the following api :
however the result returned is always the same:
"error": {
"code": "Unauthorized",
"message": "Unauthorized",
"target": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
POST : https://login.microsoftonline.com/%7Btenant-id%7D/oauth2/v2.0/token
Body:
client_id : my client id
scope :https://graph.microsoft.com/.default
client_secret : my client secret
grant_type : client_credentials
Header:
Content-Type : x-www-form-urlencoded
The response return me a token that is apparently not recognized by the first request...
I've tried several scopes such as : /.default, user.read openid profile offline_access, https://graph.microsoft.com/.default...
Even if they are all returning me a token, none of them seems to work.
I've also added the right to WindowsDefenderATP > Vulnerability.read, from the azure portal.
Is the problem the scope? What scope should I use if I have a client credential grant type?
You can follow this page in documentation.
You need an application permission since you are making the request with only application credentials.
In this case I think you need the Vulnerability.Read.All permission.
Don't forget to grant admin consent after adding the required permission.
Here is the scope you should use:
https://api.securitycenter.microsoft.com/.default
{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 1740a160-8c95-42da-aa37-562693c30300\r\nCorrelation ID: 918e8299-271d-46a9-9e9b-5893a348f934\r\nTimestamp: 2022-01-24 11:49:44Z",
"error_codes": [
9002313
],
"timestamp": "2022-01-24 11:49:44Z",
"trace_id": "1740a160-8c95-42da-aa37-562693c30300",
"correlation_id": "918e8299-271d-46a9-9e9b-5893a348f934",
"error_uri": "https://login.microsoftonline.com/error?code=9002313"
}
Solution 1:
If you are trying to get get token using OAuth 2.0 code grant flow, then Request access token using authorization code.
https://login.microsoftonline.com/YourTennatId.onmicrosoft.com/oauth2/authorize?client_id=YourClentId&response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback&response_mode=query&scope=offline_access%20user.read%20mail.read
Use the authorization code to request an access token:
Token Request Endpoint: https://login.microsoftonline.com/YourTenantId/oauth2/token
client_id:YourClientId
scope:https://graph.microsoft.com/User.ReadWrite.All
redirect_uri:https://www.getpostman.com/oauth2/callback
grant_type:authorization_code
client_secret:YourAppsSecret
code:Paste Your Code Here
Post Man Format:
Solution 2:
After you app registration in the Azure Portal,
enter this link in the browser to get the code:
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=https://localhost:4500/web/completeoauth/ms
&response_mode=query
&state=12345
and use postman to get the access token like below: