I am follow the tutorial that Microsoft has provided for signing a user into a desktop application using Microsoft Identity Platform and calling ASP.NET Core Web API which calls Microsoft Graph. I believe I followed all of the steps, configuring my service and client per instructions. https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph
However upon trying to add a new "to-do", I get the following error: "Bad Request: An error occurred while calling the downstream API Code:InvalidAuthenticationToken
Message: Invalid x5t claim "
The error occurs on this call:
User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
Any idea what the issue might be and how I troubleshoot?
Update: I am in the middle of troubleshooting this now with an admin. I am not getting roles back but he is and we now both agree the issue is on the azure application configuration, not the code... frustrating, but we are at least making progress.
Would you please try pasting the token into jwt.ms to decode it and inspect the claims?
I got a similar error due to a lack of access. Changing Delegated and Application Permission for Users solved the issue. You can try that.
Related
I have a web site that has been using Microsoft accounts for authentication for more than three years. It is a Node web app and is using the passport-windowslive package.
Lately, when users return from login.live.com after logging successfully using their Microsoft accounts, one of two types of errors is received, sometimes:
The provided value for the input parameter 'scope' is not valid. The target '«my web site domain»' does not exist.
or:
The provided value for the 'code' value is not valid. The code has expired.
The error is sporadic. I am unable to reproduce it on my development machine.
As the passport-windowslive package was last changed four years ago and my code has not changed for more than two years, the cause looks like it's at the Microsoft end. What has changed?
Update: The problem is getting worse. Previously, the problem could sometimes be overcome by using an incognito browser session or changing the browser. Now it's happening on all browsers. But I am still unable to reproduce the error when running on localhost (with no http).
Microsoft has changed how its applications can be used for oAuth. They must now be managed from Azure instead of apps.dev.microsoft.com or Microsoft Live.
Existing applications configured in apps.dev.microsoft.com will result in:
AADSTS700016: Application with identifier '000000xxxxxxx' was not found in the directory 'aaaaaaaa-bbbb-cccc-ddd-eeeeeeeeeeee'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
The passport-windowslive module somehow did not bubble up the error response.
I am working on an Angular 7 application that uses GraphAPI. I am trying to create an online meeting from this application.
Each time I send a POST request I get 'Forbidden' as response. I have used apis's with Delegated permission before and it works.
Since online meeting requires 'Application Permission' I am not sure where to specify it. Could anyone help me with this?
You specify the permissions in App Registration > your app > settings.
You have a problem with the way you are trying to access the token. I used to get the same error however, got resolved by passing userName and Password as well in the auth request and using grant_type as password.
I am trying to implement user creation in Azure AD. Tried graph explorer with the below link. But it is not working, showing "We had an issue sending this request to the Graph API".
https://login.windows.net/oauth2/token?api-version=2.0
Also tried in localhost, then shows:
Curl error: Unknown SSL protocol error in connection to
login.window.net:443
Please help me?
That link is to try and acquire a token. That is unnecessary in Graph Explorer. Just click the "Sign-in with Microsoft" button, and enter your tenant admin credentials. Then select POST for the operation and https://graph.microsoft.com/v1.0/users. In the request body put the properties that are required to created a new user, as described in https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_post_users. NOTE: When trying this operation, you may be required to consent for administrative permissions - make sure you select User.ReadWrite.All, and consent.
Hope this helps,
I am just getting started with using AWS inside an iOS app, as a server backend.
After following the documentation here, I am now hitting this issue, having the message below in the debugger:
CognitoIdentityCredentials is not authorized to perform: dynamodb:ListTables on resource: *
Searching the net has driven me to a number of posts, but none of them has been clear enough to help me solve the problem.
You don't grant permissions to the role that Cognito assumes. See "Set Permissions" of this guide http://docs.aws.amazon.com/mobile/sdkforios/developerguide/dynamodb_om.html. Learn more about IAM roles here http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html.
I have a CMS account an I'm trying to get earnings data from content owners report on Analytics API using OAuth 2.0 . Whenever I'm trying to do this through my website, I get the following error ;
Error calling GET https://www.googleapis.com/youtube/analytics/v1/reports?ids=contentOwner%3D%3DContentOwnerID&start-date=2005-01-01&end-date=2015-11-26&metrics=views%2Cearnings%2Clikes%2Cdislikes%2Cshares%2Ccomments&dimensions=30DayTotals&filters=channel%3D%3DChannel_ID: (403) Forbidden
I'm doing the same thing on TRY IT page and it works fine.
I'm thinking that I'm having issues with authenticating my domain. What do you think is the problem? How can I solve this issue?
Thank you,
403 means nobody has access to a page. As you noticed, you may have access to a similar page, but not to this one. It is not a matter of authentication. Authentication problems give a status 401 (meaning it can be fixed by adding proper authentication); 403 cannot be fixed.
Finally, I solved the problem..
Whoever will have this issue, please use the CMS user's OAuth 2.0 credentials instead of using channel credentials..