4

I'm using Xamarin.Auth for authenticating users against Google and Azure AD in a Xamarin Forms based mobile app. While everything works as expected with Google, I'm unable to get an access_token with Azure AD:

  • Authorize works as expected providing code and state
  • Token returns an id_token and a refresh_token, but no access_token.

I can replay this scenario in Postman, so this doesn't seem to be caused by Xamarin.Auth and is more likely to be blamed to my inability to properly interpret Microsoft's documentation...

Your help would be truly appreciated!

enter image description here

manuel
  • 252
  • 1
  • 9

1 Answers1

6

You should include resource scope when acquiring token in Azure AD V2.0. Any web-hosted resource that integrates with Azure AD has a resource identifier, or Application ID URI. For example, Microsoft Graph is https://graph.microsoft.com.

If you want to acquire access token for microsoft graph , and have permission to read mails of sign-in user , then token request would be :

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps

Please read this document for how OAuth 2.0 Authorization Code Flow works in Azure AD V2.0 .And click here for Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • Thanks for the speedy reply. That are the very documents I've already read. Is there anything wrong with the scope "openid offlineaccess" I am using? (I'd like to request only the most basic access that is valid in combination with offline_access). Because other than the scope I cannot make out any difference between your example and what I am using? – manuel Aug 24 '17 at 05:55
  • 2
    openid offline_access are `OpenID Connect scopes` . See [document ](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#openid-connect-scopes) .Without resource scope like "https://graph.microsoft.com/Fmail.read" , openid connect will not return access token for that resource , it only includes id_token(show who you are) . An access token is used to access protected resources . See more details in [Azure AD token reference](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims) – Nan Yu Aug 24 '17 at 06:01
  • thanks for the additional explanation. adding https://graph.microsoft.com/user.read to the scope solved my problem. – manuel Aug 24 '17 at 06:57
  • If you want a listing of all the permissions (scopes) available, see here [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference). From what I understand, you must prefix the permission with `https://graph.microsoft.com/` – Je Suis Alrick Apr 08 '18 at 20:52