I have successfully implemented the authorization flow but when I try to use scope from different api's like the office outlook task api and the graph calendar api I got an error message AADSTS70011: The provided value for the input parameter 'scope' is not valid.
This doesn't work
scopes=https://outlook.office.com/tasks.readwrite offline_access https://graph.microsoft.com/Calendars.Read
Write
This works
scopes=https://outlook.office.com/tasks.readwrite offline_access
or
scopes=offline_access https://graph.microsoft.com/Calendars.Read
Is it possible to request scopes from different api's at once or do I need two separated calls
You have to make two calls. Azure's endpoint doesn't support mixing scopes from different resources in one call.
Related
I have an oauth server that issues tokens with client_credential grant type. I'm trying to figure out how to use scopes (maybe something different) to limit what the token has access to:
1) use GET for API1
2) use GET/POST for API2
3) no access at all to API3
I assume this has to be possible. Is scope the correct way?
You can use a few mechanisms:
Audience can limit access tokens to use by specific APIs
Scopes can limit the privileges a token has - maybe start with read / write scopes
OAuth mechanisms are not usually a good fit for more fine grained authorization checks - use API claims for that. Generally claims can come from multiple places, including:
The access token
Your product database
I am trying to read SharePoint lists using the following endpoint (http://url/_api/web/lists) and I am passing the access token, but the response returns Access Denied.
While I use the same access token to call an endpoint from the graph API (https://graph.microsoft.com/v1.0/sites/root/lists) and it works fine.
Should I use a different access token when I work with SharePoint REST APIs? or am I missing something here?
Thanks.
Yes, you should use a different access token since the endpoints are different. The graph api and sharepoint api are different resource, you need to grant the application different permissions.
Note:
SharePoint APIs are available via the Microsoft Graph API. You may
want to consider using Microsoft Graph instead.
As the creator of an API ecosystem with OAuth, you want to allow access to your APIs via scopes that can be attached to an access token. My questions are thus:
How do YOU define a scope?
Would you expect any scopes you define to provide access only to resources/methods within a single API, or should a scope include access across multiple APIs?
How likely are you to define scopes in an API definition file like Swagger/OAS or RAML vs. within some sort of API gateway tool?
Should scopes be defined outside of the context of a specific API as part of a separate OAuth management tool, alongside things like IdP registration and client application creation?
I realize there may be several possible answers and perspectives on this - that is exactly what I am looking for.
Thanks for your help!
My OAuth2 server has the ability to create arbitrary scopes. Scopes are similar to 'roles', they describe groups of functionality.
The OAuth2 server is essentially unaware of what theses scopes are. API Resource servers receive Bearer tokens, and based on the bearer tokens find out what scopes are associated with it, and make decisions on what a user can and cannot do with that scope, but to the OAuth2 server, they are opaque strings.
We don't use swagger/RAML.
I have an MVC app which uses the Microsoft.AspNetCore.Authentication.OpenIdConnect middleware against IdS4 (core 1.1). The MVC calls a backend web API with the access token obtained after authentication. I'm using the "code id_token" response. I have segmented the API using scopes, but I have quite a few of them, i.e. 15. When I build the OIDCoptions I add in the scopes which the client requires:
oidOptions.Scope.Add("usersRead"); // Api scope
oidOptions.Scope.Add("usersWrite"); // Api scope
This has worked absolutely fine. However, I added a further two scopes and now IdS reports the following when the MVC does an OIDC challenge against IdS, i.e. before the user gets presented with login form
bad request
I can remove any two scopes from the list in my MVC app and it starts working again. This makes me think there is some limit on the number of scopes which can be requested, or some issue with URL length? I had a look the source code for OIDC middleware and IdS and I cannot find anything which would limit the number of API scopes a client may request.
Any ideas?
Thanks for the comments. After setting up log streaming in the Azure Web App the problem was immediately highlighted. Indeed, there is a string length limit on the artifacts which make up the token request, specifically for the scopes string 300 characters. We have shortened the scope names and now everything is working fine.
For reference, please see: https://github.com/IdentityServer/IdentityServer4/blob/aspnetcore1/src/IdentityServer4/Configuration/DependencyInjection/Options/InputLengthRestrictions.cs
Note, this is for dot net core v1.1 - similar restrictions for v2.0.
I am currently using the old Outlook office REST API v2 to access outlook.com mail of users via oauth (as opposed to microsoft graph, due to a lack of certain desired features)
For authentication scopes, it needs values like
https://outlook.office.com/mail.readwrite
https://outlook.office.com/mail.readwrite.shared
vs microsoft graph's
Mail.ReadWrite
Mail.ReadWrite.Shared
Unfortunately, the documentation that supposedly provides a comprehensive list of supported scopes https://dev.outlook.com/restapi/getstarted has had its links changed to point to microsoft graph's documentation (which doesnt really help at all)
THE FOLLOWING IS FROM THE ABOVE LINK, AND REDIRECTS TO THE BELOW LINK
scope: a space-delimited list of access scopes that your app requires. For a full list of Outlook scopes, see Authenticate Office APIs using the "v2.0" endpoints [https://developer.microsoft.com/en-us/graph/docs/authorization/auth_overview]
I'm not aware of a global list of Outlook scopes but they should be documented along side each REST method under the Minimum Requires Scopes.