Looking for some AzureAD help with this error -
"error": "invalid_request", "error_description": "AADSTS50146: This
application is required to be configured with an application-specific
signing key.\r\nTrace ID:
6fb978c1-0d74-478c-991c-3ad48ca65f00\r\nCorrelation ID:
81c05804-175c-456b-8d45-d5365818b599\r\nTimestamp: 2019-12-17
19:28:29Z",
I get the error above in one AzureAD env. when trying to do a OAuth2.0 token request. I have another test AzureAD where the same request works fine.
Doing a POST to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with clientId, clientSecret and grant_type=client_credentials.
Found this via google - https://github.com/MicrosoftDocs/azure-docs/issues/5394 but wanted to understand how does one go about configuring the "scope" parameter in AzureAD.
You probably have additional/mapped claims.
If you do not want to bother with creating application-specific signing keys,
you need to set "acceptMappedClaims": true in the manifest.
Setting "accessTokenAcceptedVersion": 2 can also help.
The api permissions in Azure AD portal is the value of scope.
You can also expose an API, then you can add your own scope.
Related
I've been trying to connect Microsoft Power Automate to my API. My API has a OAuth2 Code Flow.
According to Power Automate, the connector can make a connection to my API. and execute a test. But the problem is that Microsoft sends a Bearer token that was generated by them, and not the one that I gave to them via OAuth2, resuting on my API giving a 401 Error (Invalid Token) as expected.
In the Power Automate Custom Connector page, in the security tab I have the following:
Authentication type
OAuth2.0
OAuth2.0 Settings
Identity Provider: Generic OAuth2
Client ID: SomeValue
ClientSecrect: SomeValue
Authorization URL: mydomain.com/auth/authorize
Token URL: mydomain.com/auth/token
Refresh URL mydomain.com/auth/token
Redirect URL: microsoft-flow.com/redirect (Not the real one)
When Microsoft makes a POST request to mydomain.com/auth/token, I return the following body:
{
access_token: "non JWT token", // simillar to a hash
refresh_token: "non JWT token",
expires_in: 3600
}
The request above is final request that microsoft before accepting as a valid connection. The token that microsoft sends me is a JWT one, not the one I provided.
I've seen some guys using Azure AD authentication within the APP, but I was trying to implement something simillar to other platoforms(e.g Github, Spotify, e.t.c)
So my question is it possible to connect Power Automate to a custom API with using OAuth2? If yes, how to do it?
It's possible.
In addition to the OAuth2.0 Settings you listed, there is another important property Scope which you have missed.
Since your API is protected in Azure AD, so I assume that you have created an Azure AD app for your API and exposed scopes.
After that, you can get the application ID URI (api://{clientId}) for your API.
You should put this value into the "Scope" in Power Automate, like this:
Then this access token will be considered valid by your API.
I've done two steps to fix this problem.
Step 1
Previously my API returned the body with access_token, refresh_token and expires_in, but then I added scope and token_type. Example:
{
access_token: "2346ad27d7568ba9896f1b7da6b5991251debdf2",
refresh_token: "4468e5deabf5e6d0740cd1a77df56f67093ec943",
expires_in: 3600,
scope: "none",
token_type: "Bearer"
}
Step 2
Delete the custom connector and create a new one with the same parameters. When I got to the "Test" section, Power automate finally could make the GET request successfully.
In my case, even if the the API was updated, Power automate was still using its faulty token, so I had to delete that custom connector and create new one.
Conclusion
By updating the API and deleting the old custom connector, I was able to get the connector working.
We are not able to generate a token for an app which is at the same time offering an API and acts as a client for another app. We want to use the client credentials workflow in OAuth.
The app ApiAndClient has client credentials and the permission to use the api of app ApiApp.
We granted the ApiAndClient app admin consent to use the api of ApiApp.
We configured a redirect URI in ApiApp.
When we want to issue a token for ApiAndClient, the following error message comes up:
{
"error": "invalid_request",
"error_description": "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key.\r\nTrace ID: XXXXX\r\nCorrelation ID: XXXXXXXXX\r\nTimestamp: 2020-09-04 07:40:31Z",
"error_codes": [
501461
],
"timestamp": "2020-09-04 07:40:31Z",
"trace_id": "XXXXXX",
"correlation_id": "XXXXXX"
}
We compared the settings of both ApiAndClient and ApiApp to other apps, where the token works.
There is one difference in the ApiApp, it has"acceptMappedClaims" set to true, other api app have set to null. If we set that to null, the error message changes:
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.\r\nTrace ID: xxxxxx\r\nCorrelation ID: xxxxxxx\r\nTimestamp: 2020-09-04 08:15:26Z",
Setting it to false does not change anything.
We have the suspicion, that the client app which acts also as a api might be the problem.
Keep acceptMappedClaims as true.
Now that ApiAndClient is also used as an API app, you should click on Expose an API and Set the Application ID URI, which will be treated as the tenant's verified domain.
There was a completely different problem which I was able to fix with some AD expert.
We use custom claims in our AD. Therefore, the application scope must start with a verified domain (https://companyname.com/).
Otherwise the token was not generated. Now that I changed it, the token can be generated.
It does not appear that I can setup scope in a service config for grant_type of client_credentials.
Is this possible? When requesting a token, I do get back an empty "scope" value. The only way I can get a value to appear is if I pass a query parameter of &scope=foobar. But this does not make sense that the client application is setting the scope.
I want to grant a token with permission to read from API1 and write to API2 but not read/write to API3. It seems I should be able to have a config as scope: [ "java.util.HashSet", [ "api1_read", "api2_write" ] ] basic on clientId config on the cas authorization server.
Then I would image that the resource service, when validating the token would also get a list of scopes allowed.
What am I missing?
You are not missing anything. This capability does not exist and could possibly be added to CAS 6.3 assuming time and sponsorship would be available. Support for scopes are only available as of this writing for OpenID Connect. For OAuth, they would need to be added to the codebase and released.
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I am trying to update a primary email domain for a google apps account. And I can't seem to figure out the scope needed.
I keep receiving a 403 error when I make a request
Here is what I have tried.
After generating an access token with oAuth2, through postman. The settings below:
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
ClientID: id
Client Secret: secret
Scope: https://www.googleapis.com/auth/admin.directory.customer
Making a GET request to https://www.googleapis.com/admin/directory/v1/customers/my_customer with the token and I get a 403 insufficient permissions error back.
Is there something I am missing? I know steps to update the URL require making a get to get the users ID before making the PUT request. But I am not able to GET anything.
Is there something I am missing? Here is the URL to the DOCS if needed.
Thanks.
See domain rename known issues. The rename won't work if you are a reseller, purchased your domain via Google Domains or have Chrome licenses.