21

I'm trying to invoke an authentication process with a windows Azure AD tenant application using oAuth 2.0 by using curl. But I couldn't figure out what is the parameter "resource' in below sample code:

curl -X POST https://login.windows.net/<<YOUR--AD-TENANT-ID>>/oauth2/token  \
  -F redirect_uri=http://google.com \
  -F grant_type=authorization_code \
  **-F resource=https://management.core.windows.net/ \**
  -F client_id=87a544fd-... \
  -F code=AwABAAAAvPM1...8sSAA
BenV
  • 12,052
  • 13
  • 64
  • 92
Dharshana
  • 1,212
  • 1
  • 9
  • 18

2 Answers2

30

Resource parameter depicts the identifier of the WebAPI that your client wants to access on behalf of the user. Most flows in OAuth involve 4 parties, the resource owner (aka user), the client (aka app), the authority (aka identity provider) and the resource (aka webapi). The audience of the access token that the authority generates is the resource identifier.

In the case of Azure AD you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal). For instance, if I want my client to get a token to access the Azure AD Graph API on behalf of the user, I would request for a token for resource "https://graph.windows.net". In your example, the resource parameter value identifies the Azure Service Management APIs.

Here are some code samples of Client Apps using Azure AD SDKs to request for tokens to WebAPIs - different usages of the resource parameter:

Hope this helps.

Dushyant Gill
  • 3,966
  • 18
  • 14
  • 3
    qq Dushyant - is it possible to request a token for multiple resources in one call? – Mark Nadig Jan 30 '15 at 20:47
  • 1
    Mark, if by one request you mean one authorization request - then yes. The authorization request will authenticate the user (and if required have the user consent to your application accessing their resource(s) on their behalf) and get you an authorization code. – Dushyant Gill Feb 01 '15 at 06:59
  • 5
    Then your application will make a request to the token endpoint to get an access token for the first resource - you'll send the code (and your client id/client creds) and get back an access token and a refresh token. Then your application will again make a call to the token endpoint - this time for an access token to the second resource, however this time you'll send the refresh token (and your clientid/client creds). – Dushyant Gill Feb 01 '15 at 06:59
  • 1
    FYI, I had to put "https://graph.microsoft.com" instead of "https://graph.windows.net" as resource (from Node.js + package "passport-azure-ad-oauth" instead of direct HTTP calls with curl, but the logic looks the same) ; otherwise I always got a "401 Access token validation failure" when trying to call graph API after the authentication process. – Maxime Pacary Oct 09 '17 at 10:19
  • @DushyantGill. Thanks for that clarificiation. Just have some more questions.Why are the /v2.0/xxxxxxx endpoints not capable of dealing with the resource parameter? They always complain that the parameter is not supported. We use oauth to login to our dynamics. There we use the "v1" endpoints and give the organization url as the resource. Now the question is on how we could use the access_token to get access to the microsoft graph. Seems that the v1 tokens dont work with the microsoft graph. – Robert Jul 13 '19 at 08:24
  • @DushyantGilland of course i saw your comment before regarding the second request but i dont understand it. Is it possible to use the v1 generated access_token with the v2 token endpoint? – Robert Jul 13 '19 at 08:28
7

In simple words resource parameter contain the URI of the Web API resource, you want to access.

OAuth protocol follows the Token based access to the resources. Parameter "resource" helps to distinguish between tokens for different WEB API.

For example if you want to access GRAPH API- then resource will be- "https://graph.windows.net/"

If you want to access AZURE, The resource parameter must specified as- "http://management.azure.com".

It is recommended to use this parameter, Although it is not compulsory.

Rishabh Soni
  • 159
  • 1
  • 10