In the Developer Portal of Azure Api Management, having selected an API and an endpoint, im getting the following error when authorizing using OAuth:
An error has occurred while authorizing access via Identity (AD):
invalid_request ACS50001: The required field 'resource' is missing.
Im logged in with an administrator account and all the relevant "products" associated.
Any help is most appreciated.
“Resource” is a required parameter for AAD. That should be your APP ID. It must be entered in the “additional request body parameters section” on the OAuth settings page.
Related
I'm having a bit of a difficult time trying to figure out what I'm doing wrong. I've registered an application with Azure portal and I keep getting a 403 error after the Oauth2 is completed and when I request the user data when hitting https://graph.microsoft.com/v1.0/me
Full error:
Client error: `GET https://graph.microsoft.com/v1.0/me` resulted in a `403 Forbidden` response:
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-11-29T21:40:18","request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451","client-request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451"}}}
I'm using the PHP SDK to do this, and I had it working with another app but with this new app I can't seem to do it.
This is the API Permissions I have available for the Application:
There are so many permissions, i'm not sure why I'm getting 403? I don't see what scope I'm missing? On the PHP SDK side, I've included all the scopes as in the image.
I tried to reproduce the same in my environment.
Here I used client credential flow to get the token
I tried to query the graph /me end point , it requires delegated authentication .
Calling the https://graph.microsoft.com/me endpoint needs a signed-in user and so a delegated permission.
So even if the delegated permission is given , if client credentials flow is used as grant_typy , there will be 403 forbidden error.
I tried the same with authorization code flow and could sign in user and get details successfully.
Another criteria ,I tried the same for users endpoint
https://graph.microsoft.com/v1.0/users
Required permissions:
Here the admin consent is not granted for the User.Read.All application permission
Make sure the application permissions required for your query are granted admin consent directly through portal or during authentication of user account with which the query is made.
Then the request can be queried successfully.
Reference: Get a user - Microsoft Graph v1.0 | Microsoft Learn
Have tried many ways via code and Postman and no luck of getting a state of subscription like you would get via this link: https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list - here via the site you get a list of subscriptions and their "state": "Enabled" as an example.
Have no problem of getting auth tokens using scopes below but then impossible to get subscriptions list. If I use token from Microsoft site, the call in Postman to get subscriptions works fine.
The site is using Azure Active Directory OAuth2:
Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Using Postman I have tried getting subscriptions using these scopes along with auth token:
api://blah/.default - Invalid Authentication Token Audience
https://graph.microsoft.com/.default - Authentication failed
https://management.azure.com/.default - pass but 0 results
https://management.core.windows.net/.default - pass but 0 results
I guess when using the site you login as a user and password vs in the code using client app and app secret. Is this workflow even possible?
The registered app has all kinds of API permissions. Something this simple should not be so hard. The idea here is to programmatically check via console app if Subscription is "Enabled".
After debugging this via Postman it turns out to be a permissions issue where you have to add the application you created/using to authenticate to the Access Control (IAM) of the subscription. This post describes the error and resolution: The client with object id does not have authorization to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
If you have multiple capacities created then you have to add your application to all of those subscriptions. Then you will get a list and can then check each one.
I am following instructions provided by Microsoft to set up Postman for testing an Azure AD B2C secured Wep API:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications#register-a-web-application
Under the section Use Postman to get a token and test the API, I get to Step 4 where the documentation states:
Postman opens a new window containing the Azure AD B2C tenant's
sign-in dialog. Sign in with an existing account (if one was created
testing the policies) or select Sign up now to create a new account.
The Forgot your password? link is used to reset a forgotten password.
This does not happen.
I am using the Implicit Grant Type and my Auth URL appears as follows:
https://<myDomain>.b2clogin.com/<myDomain>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SIGNUP_SIGNIN&client_id=d4d84f32-1e57-4daf-b010-399bb2614e0d&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Scope is set to the following value:
https://<myDomain>.onmicrosoft.com/postman/user_impersonation openid offline_access
When I press the Postman Request Token button, the SignIn / SignUp User Flow (Policy) is interrupted with the following Error dialog stating:
Sorry, but we're having trouble signing you in. We track these errors
automatically, but if the problem persists feel free to contact us. In
the meantime, please try again.
Correlation ID: c1b01e2d-84ce-446e-a9c2-f3a8617eb9f2
Timestamp: 2019-11-21 20:03:31Z
AADB2C90018: The client id 'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d' specified in the request is not registered in tenant '<myDomain>.onmicrosoft.com'.
Taking this client ID is not registered error on face value, the problem would appear related to improper registration of the Application (Client) within Azure AD B2C.
However, I am able to successfully run this SignIn / SignUp User Flow from within Azure AD B2C; and to successfully register new Users using that Policy.
To be clear, my ASP.Net Core Web API is not being run at this stage. I am simply trying to configure Postman to request a New Access Token from Azure AD B2C.
I have tested the document you provided and it works fine for me.
Based on your error message, it seems that you put your client id twice in the Client ID.
AADB2C90018: The client id
'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d'
specified in the request is not registered in tenant
'.onmicrosoft.com'.
Please check it.
The following page shows how can I purge Application Insights data -
https://learn.microsoft.com/en-us/rest/api/application-insights/components/purge
I tried following it but it doesn't mention how to use authentication and I am getting the following error in response -
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed. The 'Authorization' header is missing."
}
Can someone please guide me how do use the authentication header?
As per joy said in comment, just go to the website, and click "try it" -> log use your credential, then you can see the token:
On the page you linked to, scroll all the way up in the menu and find 'Getting started with REST'. When you click that and scroll the page, you find Register your client application with Azure AD.
Most Azure services (such as Azure Resource Manager providers and the classic deployment model) require your client code to authenticate with valid credentials before you can call the service's API. Authentication is coordinated between the various actors by Azure AD, and provides your client with an access token as proof of the authentication. The token is then sent to the Azure service in the HTTP Authorization header of subsequent REST API requests. The token's claims also provide information to the service, allowing it to validate the client and perform any required authorization.
Long story short:
Register your client application with Azure AD
Create the request
Acquire an access token
Assemble the request message
Send the request
Process the response message
You need authorization header to be added in your request to purge the azure application insights data. Refer for more details and step by step guide - https://sanganakauthority.blogspot.com/2019/06/how-to-delete-or-purge-azure.html
Are access tokens returned from Microsoft's v2 authentication endpoint valid for accessing the Excel REST API?
I receive an access token when going through the OAuth flow, and can access OneDrive endpoints such as:
GET https://graph.microsoft.com/v1.0/me/drive
But if I try to access an Excel endpoint such as:
GET https://graph.microsoft.com/v1.0/me/drive/items/{id}/workbook/
... I get 404 ResourceNotFound error
Note that I've registered for my Client ID via the Microsoft app registration portal
The v2.0 endpoint could works well for this API when I test with the work account. And I also reproduced this issue when I use the personal account.