Snowflake: Configure Microsoft Azure AD for External OAuth - admin consent - oauth-2.0

I am using this guide to configure Microsoft Azure AD for external OAuth in Snowflake.
I'm pretty sure that I followed all the steps because tried that meticulously on three Azure subscriptions and got the same result.
Every time I got stuck at the testing procedure section where I'm supposed to send a request to Azure AD to get an access token:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
I am a subscription owner and definitely granted admin access to the session:role:analyst scope:
However, instead of the access token, I get the following response:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '...' named 'Snowflake OAuth Client'. Send an interactive authorization request for this user and resource.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
65001
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "...",
"suberror": "consent_required"
}
Tried to grant the consent by reaching https://login.microsoftonline.com/{{tenant_id}}/adminconsent?client_id={{client_id}} and after granting the consent, got an error: AADSTS500113: No reply address is registered for the application.
Found this and added the return URL http://localhost/ (without a clear understanding of why). Granted the consent again and was redirected to http://localhost/?admin_consent=True&tenant={{tenant_id}}# which, I suppose, is fine.
But I still get AADSTS65001: The user or administrator has not consented to use the application.
Reached to Microsoft documentation and figured out that using grant_type=password is not recommended - makes sense.
Tried grant_type=client credentials:
curl --location --request GET 'https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{client_id}}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_secret={{client_secret}}'
Got the access token, but attempts to connect to Snowflake with a connection string like:
connection.ConnectionString = $"account={account};host={host};authenticator=oauth;user={oauthUser};token={token};";
Throw Snowflake.Data.Client.SnowflakeDbException: 'Invalid OAuth access token..
I suspect this is because scope=https://graph.microsoft.com/.default, but replacing it with session:scope:analyst brings this:
{
"error": "invalid_scope",
"error_description": "AADSTS1002012: The provided value for scope session:scope:analyst is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
1002012
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "..."
}
Since I already deviated from the official Snowflake guide, I'm asking the community for help with this issue. Thank you in in advance!

When obtaining an access token with the Resource Owner Password Credentials Grant flow (which is not recommended and you really shouldn't do), the resulting access token is for accessing a resource (API) on behalf of the signed-in user. In the Microsoft identity platform, access on behalf of a user requires the client application be granted at least one delegated permissions to the requested resource.
In your screenshot, we see that the permission you granted for "Snowflake OAuth Resource" is an application permission (aka "app role").
You need to do two things:
On the resource app's app registration, make sure you followed sub-step 10 under Step 1: Configure the OAuth Resource in Azure AD, and defined "session:scope:analyst" as a delegated permission (scope).
In the client's app registration, under API permissions, choose the corresponding delegated permission for the resource, and grant it.
Then, when you go to test obtaining the token, make sure the "scope" parameter is the full scope value, including the resource's identifier URI (which you defined in sub-step 9). For example, if your identifier URI is https://my.snowflake.example.com, then the "scope" value would be https://my.snowflake.example.com/session:role:analyst and your cURL request would be:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=https://my.snowflake.example.com/session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
WARNING: The Resource Owner Password Credentials Grant flow is not recommended. I suggest reaching out to app publishers who are suggesting you use this flow. Here is Microsoft's warning on the subject:
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

If the set up is still configured for "password" type grant credentials then the issue there is with the scope which should be set up on AAD and passed as follows:
**session:role-<name>**
Note, that the hyphen between role and name and it's not a colon.
In your setup, it seems to be set up and passed as:
session:role:<name>
I think, it would be much more easier to fix this issue by checking the steps done on your environment with the details here:
https://community.snowflake.com/s/article/External-oAuth-Token-Generation-using-Azure-AD

Related

Service principal as a O365 group owner

The administrator has created a O365 group and assigned my application as a service principal as an owner for the group. He also said he had added Mail.Send permission to the application.
I have obtained the access token via client_credentials flow for the application.
I try to send mail but it fails with the following error.
$ curl -v -H "Authorization: Bearer ${TOKEN}" --data-binary #email.json -H 'Content-Type: application/json' https://graph.microsoft.com/v1.0/users/<UPN>/sendMail
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be understood.","innerError":{"oAuthEventOperationId":"...","oAuthEventcV":"...","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"...","date":"..."}}}
What can be a problem here? What does it even mean that the application (service principal) is an owner of the group? Does it give the app additional permissions? It does not seem like it since the following request also fails:
$ curl -v -H "Authorization: Bearer ${TOKEN}" https://graph.microsoft.com/v1.0/groups/groupemail#example.com
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {...
}
}
}

Unable to get Linkedin to return data from socialActions v2 endpoints

I am using the Linkedin API OAuth 2.0 API and trying to perform a 'like' to a post or a comment using the new version 2 of the Linkedin API using the Postman client.
I have added the following permissions to the scope
r_liteprofile r_emailaddress rw_organization_admin w_organization_social r_organization_social w_member_social w_organization_social r_organization_social
And added the relevant callback, Auth & Access Token URLs to the postman request along with the Client ID and Client Secret ID.
When I perform a request to the \me v2 endpoint it returns relevant data.
When I perform the following GET request it gives me an not enough permissions error (even though it has been recently been accepted to the Marketing API for Linkedin)
https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments
I would expect to get data - but get a 403 status code and the error message below -
Not enough permissions to access: GET /socialActions/urn%3Ali%3Aorganisation%3A24799518/comments"
The cURL request looks as follows :
curl -X GET \https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments \
-H 'Authorization: Bearer {MY BEARER TOKEN HERE}' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 59c239c2-d1c7-48ee-9e5f-a894afde95dc' \
-H 'X-Restli-Protocol-Version: 2.0.0' \
-H 'cache-control: no-cache'
-- update --
I have manually tried this using cURL also with the X-Restli-Protocol-Version: 2.0.0 header and have the same issue. I am ultimately trying to use the API to like posts/comments etc..
Social Action Api is not applicable for organization|Page
GET https://api.linkedin.com/v2/socialActions/{shareUrn|ugcPostUrn|commentUrn}/comments
It is applicable for share|ugcPost|Comment
Use the following request to fetch the shares and use the share Id in the above request to get the comments for the post
GET https://api.linkedin.com/v2/shares?owners=urn:li:organization:24799518&q=owners&count=100

openAM token introspection always return active as false

I have deployed the OpenAM - AccessManagement (6.0.0.4) version. I am using Rest API's to get the access token using password flow. And trying to introspect the token.
1) get access token
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=password&username=user&password=welcome&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
2) get header token (to be used for authorization header while token
introspection in step 3)
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=client_credentials&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
3) introspect token
$ curl \
--request POST \
--header "Authorization: Basic ZGVtbzpjaGFuZ2VpdA==" \
--data "token=f9063e26-3a29-41ec-86de-1d0d68aa85e9"
"https://openam.mydomain.com:8080/openam/oauth2/introspect"
Token introspection is always returning as {"active" : false }. I guess I am missing some OpenAM configuration. any thoughts please?
UPDATE
As suggested by #BernhardThalmayr it is working when I gave token as query parameter. 3 issues here:
1)I need to give authorization header as encoded clientid:clientsecret.I can not use the bearer token generated in step 2 as authorization header.
With gluu as IDP, bearer token is accepted as auth header for token introspection.But with openAm it gives
{
"error_description": "Invalid authorization",
"error": "invalid_client"
}
I can see in docs for openam micro-services, for token validation bearer token being used as auth header. https://backstage.forgerock.com/docs/platform/6/mservices-guide/#sec-validate-am-sso-token. How to do it without microservice?
2) scope list is empty : I have added scopes in client configuration as openid, introspect, mail,cn,profile. still token introspection returns scopes array as empty
3) openam/oauth2/userinfo endpoint returns only {
"sub": "amadmin"
}
IMHO AM is not spec compliant as it requires the value of the token to be sent as query parameter [backstage.forgerock.com/docs/am/6/oauth2-guide/… in contrast to what is defined in [tools.ietf.org/html/rfc7662]. Have you tried to provide the token as documented in AM docs?

Azure AD OAuth token refresh gives error AADSTS50000

After successfully authenticating, I want to refresh my authorization token, so I issue the following request
curl -X POST \
https://login.microsoftonline.com/<my-tenant>/oauth2/v2.0/token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-F grant_type=refresh_token \
-F refresh_token=<my-refresh-token> \
-F client_id=<my-client-id> \
-F client_secret=<my-client-secret>
However, instead of returning with a new token, I get the following response:
{
"error": "server_error",
"error_description": "AADSTS50000: There was an error issuing a token.\r\nTrace ID: bb72ee21-7df2-4949-8375-e6d97b621300\r\nCorrelation ID: 719ea759-622b-4d63-be17-56fd6c255195\r\nTimestamp: 2018-06-15 09:07:13Z",
"error_codes": [
50000
],
"timestamp": "2018-06-15 09:07:13Z",
"trace_id": "bb72ee21-7df2-4949-8375-e6d97b621300",
"correlation_id": "719ea759-622b-4d63-be17-56fd6c255195"
}
The tenant, client id and client secret are all the same as those used when obtaining the refresh token. Yet, something is apparently missing or incorrect - but what?
You are missing the mandatory scope parameter as described here.
You also need to provide a redirect_uri, although you just make a POST request.
And the redirect_uri must match the redirect_uri used in the original authorization call.
When refreshing an access token you have to provide a scope for which you would like to get the token. Also make sure that you understand you can only refresh the access_token, not the id_token. And access_token always has a purpose (scope).
Everything described in the documentation.

Requesting list of groups in Auth0-Authorization extension but returns 403:Insufficient scope error

I've installed the Authorization extension in my Auth0 account, so authorization functionality works perfectly but now I want to access all the groups I've created there in that authorization extension. So I've followed Authorization docs but when I use the token I've generated for that it throws 403: Insufficient scope error in response.
These are the steps I've gone through:
1.Requested a token:
curl -X POST \
https://my_domain.auth0.com/oauth/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"client_id":"auth0-authorization-extension-api-client-id",
"client_secret":"auth0-authorization-extension-api-secret",
"audience":"urn:auth0-authz-api",
"grant_type":"client_credentials"
}'
Response:
{"access_token":"encoded_access_token","expires_in":86400,"token_type":"Bearer"}
2.Requested group list:
curl -X GET \
https://domain.us.webtask.io/some_hash/api/groups \
-H 'authorization: Bearer access_token'
Response:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope"
}
Hopefully this isn't a problem still for you, but if it is:
Go to your Auth0 dashboard
Click on APIs
You should have an API called auth0-authorization-extension-api
Select Non-interactive clients tab
Select the client you want to give access to and change toggle to Authorized
There's a drop down arrow beside the authorized toggle, click that and under scopes give access to read:groups. You may need read:users too.
Hope that helps, thanks
Kevin

Resources