0

I have created a Azure AD Mobile and desktop applications. Now I am getting my access_token using following API,

POST https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/token password:pass client_id:id resource:https://graph.microsoft.com grant_type:password client_secret:secret username:userName scope: openid

The response looks like, "access_token": "acessToken", "refresh_token": "refereshToken", "id_token": "id_token".

Now I am passing the access_token to a third party application which is configured with same Azure AD client. When that third party application tries to validate the signature, the operation fails. Then got to know its because of nonce which is available for only microsoft graph APIs. Now how to remove the same or make my access_token signature verification compliant?

Shreyas Holla P
  • 145
  • 2
  • 14
  • You should not be validating an access token that is not meant for you. Graph API tokens are special as well. You need to use a `resource` that matches the API you are calling (client id or app ID URI of the API). – juunas Aug 14 '20 at 09:57
  • Thanks for the response, as mentioned I am passing the access_token to a third party software. The same access_token will be validated by third party software. So how to make the access_token independent of GRAPH API? – Shreyas Holla P Aug 14 '20 at 10:42
  • If you don't need to call the Microsoft Graph API, then you don't need to request "https://graph.microsoft.com" as the resource parameter when you request the token. – Carl Zhao Aug 14 '20 at 10:55
  • @CarlZhao What should I pass in place of "resource" parameter? Should I create a new scope? – Shreyas Holla P Aug 14 '20 at 14:23
  • @ShreyasHollaP As juunas said, You need to use a `resource` that matches the API you are calling. – Carl Zhao Aug 17 '20 at 01:38
  • @CarlZhao I have created a client in AureAD for auhtnetication/Authorization. Now Passing the clientID, client secret, username/password to the above client I am gettting access_token. IN this scenario can you tell me what to pass in resource? – Shreyas Holla P Aug 17 '20 at 10:24

1 Answers1

1

You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.

First, you need to expose the api of the application representing the web api, you can configure it according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)

This is the process of defining the manifest.

enter image description here

This is to grant permissions for the client application:

enter image description here

Finally, you can request a token for your api application (note that the resource parameter is no longer the Microsoft Graph API, it is the client ID of your API application and your custom role permissions in the manifest).

enter image description here

Update:

For application permissions only, ROPC flow is generally not recommended. It is recommended that you use the client credential flow based on the v2.0 endpoint. When using v2.0 endpoints, resources will no longer be used as parameters, but scope will be used as parameters, but their functions are the same. (Please note that the scope parameter is like this:api://a13b414b-93b3-4aae-bb-xxxxxxxxx/.default).

Parse the token and you will see the customized app Roles.

enter image description here

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work This can be beneficial to other community members. Thank you. – Carl Zhao Aug 17 '20 at 11:09
  • Thanks for the detailed steps. Have followed the same and when I pass the reource as "api://3d32b75d-dbd6-4518-9eae-eb35a3d6f989/read.write"(Created as new scope) instead of http://microsoft.graph.com, I am getting below error, , What is the permission which is missing here as I am able to get access_token if resource is "https:graph.microsoft.com" – Shreyas Holla P Aug 18 '20 at 09:49
  • "error": "invalid_resource","error_description": "AADSTS500011: The resource principal named api://3d32b75d-dbd6-4518-9eae-eb35a3d6f989/read.write was not found in the tenant named bc358f98-0ec2-40f7-b6b7-16c4d6e7a64a. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 43561103-d16b-42fa-a484-4745cbb05200\r\nCorrelation ID: 4ec2ba5d-84f1-421f-8136-be537380eff0\r\nTimestamp: 2020-08-18 09:45:34Z", "error_codes": [500011] – Shreyas Holla P Aug 18 '20 at 09:52
  • In API permission have given new application permission and granted admin consent for new appRole added in manifest – Shreyas Holla P Aug 18 '20 at 10:16
  • Is there any relation of appRoles: "displayName","value","id" present in manifest with Application ID URI, scope name, admin consent display name in "Expose an API" section of App Registration? – Shreyas Holla P Aug 19 '20 at 05:36
  • Have posted one more question which is next step to get custom claims, if you have idea on same, Please suggest https://stackoverflow.com/questions/63483491/how-to-add-a-custom-claim-and-retrieve-the-same-as-part-of-access-token-when-th. Thanks In Advance – Shreyas Holla P Aug 19 '20 at 09:04
  • @ShreyasHollaP Okay, I will test this question, please wait. – Carl Zhao Aug 19 '20 at 09:54