3

I am trying to obtain a token from Azure AD from Python client application. I want users to seamlessly authenticate with just a username and password (client_id / secret will be embedded in the app). I registered my app and given it all permissions and hit the "grant permissions" button in the new portal according to this post:

The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource

I am sending an http post to:

https://login.microsoftonline.com/{tenant_id}/oauth2/token

with the following data:

headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

body = "resource={0}&grant_type=password&username={1}&password={2}&client_id={3}&client_secret={4}&scope=openid".format(app_id_uri,user,password,client_id,client_secret)

I cannot seem to get past this error no matter what I try:

b'{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID \'078c1175-e384-4ac7-9116-efbebda7ccc2\'. Send an interactive authorization request for this user and resource.

Again, my goal:

User enters user / pass and nothing else. App sends user / pass / client_id / client_secret, obtains token.

Community
  • 1
  • 1
Progger
  • 2,266
  • 4
  • 27
  • 51
  • Could you check your oauth2PermissionGrants with Graph Explorer? Example here: https://graphexplorer.cloudapp.net/Home/Index/DemoCompany?UrlRequest=GET&text=https%3A%2F%2Fgraph.windows.net%2Fgraphdir1.onmicrosoft.com%2Foauth2PermissionGrants. Find if your app's service principal has been granted the proper access to the resources. – juunas Jan 02 '17 at 07:12
  • So i'm not 100% sure what i'm looking at here, but when I put in "https://graph.windows.net/{my_dir}/oauth2PermissionGrants, I see a "value" array with 3 service principals in it, each having a clientID, none of which correspond with the client_id of my app. Guessing this might be the culprit? I still don't know how to grant it, if so. – Progger Jan 02 '17 at 17:15
  • The client id there is actually the object id of the service principal :) So find your service principal first from the servicePrincipals endpoint. – juunas Jan 02 '17 at 17:19
  • ok, so it is in there, but how do I know if it has "proper" access? the value next to "scope" is: "Directory.ReadWrite.All Directory.Read.All Member.Read.Hidden User.Read User.ReadBasic.All User.Read.All Group.Read.All Group.ReadWrite.All Directory.AccessAsUser.All", ... which is likely the result of me checking everything I could check in the app permissions. – Progger Jan 02 '17 at 17:31
  • Is the consentType set to AllPrincipals or Principal on the oauth2PermissionGrant? Because if it is AllPrincipals then it means admin consent has been given. – juunas Jan 02 '17 at 17:38
  • It does. Hmm. The message I'm receiving says to do an interactive request but that is exactly what I'm trying to avoid because this is a python app with no web browser and I'm trying to avoid complexity. So if permissions are correct, any idea why I'm seeing a permissions error? Thanks for all your help. – Progger Jan 02 '17 at 17:41

2 Answers2

2

According to your comment:

The message I'm receiving says to do an interactive request but that is exactly what I'm trying to avoid because this is a python app with no web browser and I'm trying to avoid complexity.

I think you want to build a daemon app or an app only application integrating with Azure AD. You can refer to https://graph.microsoft.io/en-us/docs/authorization/app_only for the general introduction.

Furthermore, you can leverage the ADAL for Python to implement this functionality with a ease. Also, you can refer to client_credentials_sample.py for a quick start.

Gary Liu
  • 13,758
  • 1
  • 17
  • 32
  • So this got me a token right away which I can use to get the user's info from Graph. The only issue is I can't figure out how to validate the user's credentials against Graph. Is this possible? Ideally, i'd like to get a token using the user's creds instead of client_id/secret but not sure if that is possible. – Progger Jan 03 '17 at 03:32
  • I am afraid you need to custom a bit of additional logic to implement this functionality if you do not want **an interactive request**. You can leverage the graph api to match the user info against with his cert. E.G https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_get – Gary Liu Jan 03 '17 at 05:29
  • Hi, @progger, do you have any update? Have you solved your problem? – Gary Liu Jan 13 '17 at 07:07
  • @gary-liu-msft I ended up going with ADAL for Python. It's been working great. thanks! – Progger Jan 18 '17 at 02:36
0

You should try logging in as an admin to be able to give consent to use the application on your tenant at all.

RasmusW
  • 3,355
  • 3
  • 28
  • 46