I'm successfully getting an access token to resource https://manage.office.com from https ://login.microsoftonline.com/MYTENANTID/oauth2/token using grant_type client_credentials with my client ID and client secret.
But I always get "Authorization has been denied for this request" back when I try to use that token with to start a subscription using https ://manage.office.com/api/v1.0/MYTENANTID/activity/feed/subscriptions/start?contentType=Audit.SharePoint
There is only one Tenant. My app is in the same tenant I'm trying to access.
Do I have to do the client certificate thing with the manifest or can I use the secret key? This is service to service. Or is it that I'm not getting an authorization code first? I didn't think I needed to do that since this scenario doesn't require content
Any help greatly appreciated.
Based on the test, I am also not able to call this rest via the token request with the client id and secret.
To use this API, you can generate a self-signed certificate. Detail step about use certificate to request the app-only token please refer here.
Related
I have a back-end processor, (imagine a chron job once a day generating reports), that needs to integrate with a third-party system. Their APIs only support the "Authorization code" grant type. The problem is I can't even fill out a request for a token as I don't have a redirect_uri (no website), and I definitely don't have a user of any kind. I'll just have the OAuth clientId and secret I provisioned via their developer portal, (Mashery), for my back-end report processor app.
I want to use the "Client credentials" grant type/flow since I'm just a back-end service.
Is there any way to fake this or hack it so my little back-end service can somehow work with authorization code flow?
Thanks in advance
No, there is no way to hack it. Client credentials only authenticate the client. A token issued for client credentials have no information about the user. If their API needs information about the user (you probably get information only about your user), then you need to have a token issued with Code Flow.
What you can do is to generate the OAuth token yourself. E.g. you can use oauth.tools to perform a Code Flow with their Authorization Server, or you can perform the flow from browser with a dummy redirect URI (e.g. http://localhost), the get the code returned from authorization request and perform a token request from curl.
Once you have an access and refresh token you can hard code them in your script (or read them from an env variable or file, etc). You can then call the API as long as the access token is valid, and use refresh token to get a new access token when it expires. You will not have to perform a new Code Flow for as long as the refresh token is valid.
I have 2 registered apps in Azure AD - one is a webapi that receives a webhook from SendGrid with an access token. The other is the registration of the SendGrid app so that it can request a token using Client Credentials grant. Admin consent has been granted for the exposed API to the SendGrid app registration.
In SendGrid's webhook configuration on their server (the service is in beta), we are asked for client_id, client_secret and token endpoint. We also configure the web api resource url that it will eventually send the token and its webhook data.
In Azure identity platform, Scope is required but in the RFC it is optional. SendGrid does not configure nor send the scope. So these implementations appear not to be able to work together.
2 questions:
If you do not send a scope to some other RFC compliant token endpoint, presume this means the requester can be authorized but the jwt has nothing for audience?
If according to the RFC scope is not required, can the resource server check "this was meant for me"?
I understand we can validate the issuer and any extra claims but it seems odd that one of the validations that is emphasized most in Azure AD, Auth0 documentation etc is "audience" yet the RFC allows the scope to be missing in the token request. One of the answers here again emphasizes this requirement.
I wondered if a scope could be configured in the client app registration manifest if it is missing in the request but could not find anything that looks like that.
Thanks in advance for insights.
I'm not sure if this will fix your issue, but have you tried on the app registration with the expose an api configured, under it there is a authorized client applications section, try adding the other app registration id in there. I have anecdotally seen that even without requesting the scope, it will return that scope in the token.
I need to implement a single sign on of a user, which can get services from several different services.
When there was only a single service, the user could log in from the client side, send the request to a backend, gets a URL back to a JWT token issuer server, from which he can get a token which he sends back to the BE and he is now authenticated.
What is now changing, is that he needs to get more services. Each service has its own frontend and backend, but everyone are using the same issuer. Meaning there are both services with FE and BE, and also there is another general BE for the authentication.
What is the correct flow to authenticate in the scenario? Can the general BE issue a token for the client for each of the required services? Or should the BE respond the client with the services's BE url and let the client itself send an authentication token response from each service? Or something else?
I assume you mean OpenID Connect, since OAuth2.0 is not used for authentication and does not require the use of JWTs. Also, in your scenario there are not multiple resources, but multiple clients / relying parties.
Using the OpendID Connect Implicit flow, the issuer will eventually send an id token (JWT) to the user's browser. This JWT can be used to authenticate to a service. Each JWT will contain an aud (audience) claim to identify the service it should be used for.
Using the Authorization Code flow, the issuer will eventually send an authorization code to the user's browser. The user will send the code to a service, and the service will send the code plus its client id to the issuer in exchange for an id token (JWT) and an access token.
In both cases, the service identifies the end user using the iss (issuer) claim, and verifies the JWT by checking the signature, expiry and audience.
My current auth server doesn't support OAuth 2.0 and I'm trying to set up a new auth server. But I don't need a replacement, I just want to pass the token to my new auth server so it can give access token to a third-party application.
I've been reading many documents about OAuth2 but none of them mentioned how is the access token generated. All of them only said once the user submitted their credential to the authorizaURL, it will verify and send back a code(auth code grant) or an access token(implicit grant).
The problem is, how does the auth server generate that token and how does the resource server verify this token? And how do these two servers bounded together?
Thank you in advance : )
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.