0

I want to access a user's outlook calendar in my Java Application. For this I'm trying to use Microsoft Graph APIs.

I'm following this tutorial: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-java-webapp whose code is here: https://github.com/Azure-Samples/ms-identity-java-webapp/tree/master/msal-java-webapp-sample

I created app on portal.microsoft.com with type Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

I've created and copied keystore.p12 to resources directory.

My application.properties is:

#AAD configuration
aad.clientId=my client id
aad.authority=https://login.microsoftonline.com/my tenant id/
aad.secretKey=my secret key
aad.redirectUriSignin=https://localhost:8443/msal4jsample/secure/aad
aad.redirectUriGraph=https://localhost:8443/msal4jsample/graph/me
aad.msGraphEndpointHost=https://graph.microsoft.com/

#SSL configuration
server.port=8443
server.servlet.session.cookie.secure=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=testCert
server.ssl.key-password=password

When I run the application and access https://localhost:8443, I get the page with Login button. When I click on the Login button, I'm redirected to the page where I can choose among outlook accounts. The URL is:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmsal4jsample%2Fsecure%2Faad&client_id=ca146462-8880-424c-b629-cc7c0d0fb1b3&scope=openid+offline_access+profile&prompt=select_account&state=69a2ac0f-abac-46ad-b525-88f0b70182b7&nonce=9278f424-6858-4e22-bb13-7b13894abda7

When I select an account, I'm getting the following error:

Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application 'ca146462-8880-424c-b629-cc7c0d0fb1b3' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

enter image description here

I've added Redirect URIs enter image description here

Why am I getting the error?

Update:

I changed the authority in application.properties to https://login.microsoftonline.com/common, so now I'm getting the "Pick an account" page. But when I choose an account, I'm getting 403 Forbidden error.

user5155835
  • 4,392
  • 4
  • 53
  • 97
  • Since you are trying to sign in to your Azure AD tenant, is that Outlook account in that Azure AD tenant? If you intend for your app to be multi-tenant, your authority should be `https://login.microsoftonline.com/common/v2.0` – juunas May 08 '20 at 07:41
  • @juunas The outlook account is not in that Azure AD tenant. I want to access any user's calendar. I changed the authority in application.properties to: `https://login.microsoftonline.com/common/v2.0/my-tenant-id/` but then I get the error in browser: No webpage was found for the web address: https://login.microsoftonline.com/common/v2.0/...... – user5155835 May 08 '20 at 08:14
  • Don't add your tenant id there. Set the authority to `https://login.microsoftonline.com/common/v2.0` – juunas May 08 '20 at 08:26
  • @juunas I removed the tenant id from authority, but I get: `https://login.microsoftonline.com/common/v2.0/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=...` – user5155835 May 08 '20 at 08:34
  • Oh so it's formatting it like that. In that case remove the v2.0 from the authority value. – juunas May 08 '20 at 08:34
  • @juunas I removed the v2.0, the choose account page loaded, but it did not list my personal account. It only listed my corporate account. And when I accepted the request for the corporate account, I got 403 error – user5155835 May 08 '20 at 08:38
  • Hi @user5155835 May I know if you can get the access token in your code ? Could you please [decode](https://jwt.io/) your token and check the permissions in the token ? – Hury Shen May 08 '20 at 09:21
  • @HuryShen I think I'm not getting the access token. When I choose the account on "Pick an account" page, I get response 403 Forbidden – user5155835 May 08 '20 at 10:49
  • @juunas When I choose the account on "Pick an account" page, I get response 403 Forbidden – user5155835 May 08 '20 at 10:58
  • @user5155835 You have registered app with "localhost:8080" like demo and in app settings you have "localhost:8443" ? Could you look into this ? –  May 08 '20 at 12:02
  • @UJJAVAL123-MSFTIdentity I'm using `localhost:8443` and still getting the error. I've updated the image in question – user5155835 May 08 '20 at 12:41
  • @UJJAVAL123-MSFTIdentity Also, the URL I use to authorize is `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmsal4jsample%2Fsecure%2Faad&client_id=ca146462-8880-424c-b629-cc7c0d0fb1b3&scope=openid+offline_access+profile&prompt=select_account&state=69a2ac0f-abac-46ad-b525-88f0b70182b7&nonce=9278f424-6858-4e22-bb13-7b13894abda7` – user5155835 May 08 '20 at 12:52
  • Please create a new question with updated error details. You are still using "login.microsoftonline.com/my tenant id/" instead of "login.microsoftonline.com/common/" –  May 09 '20 at 17:12
  • 1
    This was a problem with the tutorial you were following. Due to samesite updates in some browsers, response_mode needs to be query (instead of form_post). If you try to run the sample again it should work. – sgonzalez May 11 '20 at 21:40
  • @sgonzalez make your comment an answer and I'll accept it. Also, not specifying the response_mode at all also works – user5155835 May 12 '20 at 14:06

2 Answers2

1

Copy the solution in comments mentioned by juunas:

Just use "common" if the app is multi-tenant https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
1

The 403 Forbidden was an issue with the tutorial you were following. Due to samesite updates in some browsers, response_mode needs to be query (instead of form_post). If you try to run the sample again it should work

sgonzalez
  • 741
  • 6
  • 20