33

From the development in Windev I use Oauth 2.0 for authorization to get access to the outlook mail from a user.

The application is registered at https://apps.dev.microsoft.com without the Implicit workflow. After the user enters the credentials, an Authorization Code is returned. With the new code the Bearer Token is requested with a HTTP Post command.

So far, so good.

Only that the response gives an error message that makes no sense to me.

In code:

m_sHTTPUrl = "client_id=" + m_sClientID + "&client_secret=" ...
    + m_sClientSecret ...
    + "&redirect_uri=" + m_sRedirectURL + "&code=" + m_sAuthToken ...
    + "&grant_type=authorization_code"
m_sHTTPres = ""
LogLocalFile("GetAccessToken - " + m_sTokenURL + " // " + m_sHTTPUrl) 

cMyRequest is httpRequest
cMyRequest..Method = httpPost
cMyRequest..URL = m_sTokenURL
cMyRequest..ContentType = "application/x-www-form-urlencoded"
cMyRequest..Header["grant_type"] = "authorization_code"
cMyRequest..Header["code"] = m_sAuthToken
cMyRequest..Header["client_id"] = m_sClientID
cMyRequest..Header["client_secret"] = m_sClientSecret
cMyRequest..Header["scope"] = m_sScope
cMyRequest..Header["redirect_uri"] = m_sRedirectURL
//cMyRequest..Content = m_sHTTPUrl
cMyResponse is httpResponse = HTTPSend(cMyRequest)
m_sHTTPres = cMyResponse.Content

In a logfile I requested the used parameters and the content of the httpResponse:

GetAccessToken - https://login.microsoftonline.com/common/oauth2/v2.0/token // grant_type=authorization_code
&code=xxxxxxx
&scope=openid+offline_access+User.Read+Email+Mail.Read+Contacts.Read
&redirect_uri=http://localhost/
&client_id=xxxxxxx
&client_secret=xxxxxxx

GetAccessToken - error = invalid_request
GetAccessToken - error_description = AADSTS90014: The request body must contain the following parameter: 'grant_type'.

The grant_type is in the header as it is supposed to be.

Does anybody have any clue of what is needed to get the OAUTH2 working ?

Adjan
  • 331
  • 1
  • 3
  • 4
  • According to this [post](https://stackoverflow.com/questions/31430855/onedrive-for-business-invalid-request-error-descriptionaadsts90014-the-r) the oauth-2.0 parameters must be in the content of your request. Did you already try it ? This [post](https://social.msdn.microsoft.com/Forums/sqlserver/en-US/d54c668f-d8e3-4662-b124-d9abc3176c8c/http-post-body-parameters-to-get-oauth2-token?forum=azurelogicapps) warns also on the encoding of the body. – Bidjes Mar 28 '18 at 11:40
  • Thanx for the direction. a) It has to be in the body, not in the header. b) It has to be encoded, in plain text. Than it works. – Adjan Mar 29 '18 at 12:09

6 Answers6

28

You shouldn't send grant_type neither in params nor in headers. Those should be sent in body params then only it will work.

Url: https://login.microsoftonline.com/common/oauth2/v2.0/token client_id, scope and redirect_uri params can be sent as query params. where as grant_type, code and client_secret should sent in body params.

grant_type:authorization_code, 
code: {code you got from the authorization step}, 
client_secret: ****
Gryu
  • 2,102
  • 2
  • 16
  • 29
Rajashekar Shingarapu
  • 281
  • 3
  • 4
24

You need to pass everything in body as form-data:

curl --location --request POST 'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token' \
--form 'grant_type=authorization_code' \
--form '<the code you have got from the authorization endpoint' \
--form 'client_secret=****' \
--form 'client_id=********' \
--form 'scope=m_sScope' \
--form 'redirect_uri=http://localhost/'
Marcelo Gazzola
  • 907
  • 12
  • 28
  • Does this also apply to the auth part? I am getting this error at the authorize endpoint, which as I understand it, comes before the token endpoint call. – Christopher Pisz Dec 23 '20 at 15:06
7

you should change the content type as : application/x-www-form-urlencoded

the body must to be formated as bellow:

 client_id=8cfbe8ac-8775-4c56-9302-k9d5a42cbf98
 &client_secret=BOy7Q~pGvXF.SWshX72mmMnQeAkvN5elHWiYT
 &grant_type=client_credentials
 &resource=https://miurl.com
Freddy Jose Chirinos Moròn
  • 306
  • 2
  • 8
5

If someone is still having this issue, You can try from postman like below. Please check the Body type as "x-www-form-urlencoded"

enter image description here

Atul
  • 3,013
  • 2
  • 12
  • 15
1

I finally got this right after referring to multiple answers.

POST https://login.microsoftonline.com//oauth2/token --make sure to enter the ID directly without <,>

Use 'x-www-form-urlencoded' format for the Body. Enter Keys & Values for the below parameters client_id - Client_ID on your Azure App client_secret - client_secret value and not the key. Note that this value is available only for the first time upon the client secret key creation grant_type - client_credentials (static words, don't try to look for the value) resource - App ID URI

reference link - https://learn.microsoft.com/en-us/previous-versions/azure/dn645543(v=azure.100)?redirectedfrom=MSDN

Rujuta Tamhankar
  • 11
  • 1
0

when providing "Default Scope" value must be full name example , "User.Read" correct value can get from azure AD APP -> Api Permission

chathura prasad amarathunga
  • 144
  • 7