1

I have Java application which provides some reports in plain HTML.

I want to secure these reports with Microsoft SSO (OAuth).

I was able to do this in browser - I created new "AppRegistration" in Azure AD, get client_id, client_secret, Oauth 2 authentication_url, configured correct redirect_uri in this application and implemented Oauth flow in browser - it works as expected.

But users don't want to check reports in browser, they want to process them in Excel 2019. It has "Organizational account" authentication. I believe, that it uses the same OAuth 2 flow.

So, I added WWW-Authenticate: Bearer authorization_url="https://login.microsoftonline.com/256be541-f611-4412-975e-cb56ee6fb03b/oauth2/v2.0/authorize"

I'm trying to access URL like: https://localhost:8443/report/1

Now Excel asks me to enter login and password, but after successfull authentication the error is shown:

invalid_resource: AADSTS500011: The resource principal named https://localhost:8443 was not found in the tenant named 256be541-f611-4412-975e-cb56ee6fb03b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 57324bfe-ab46-4c2e-9128-a336aa287e00 Correlation ID: d9c4c732-76cc-4659-9d8a-d27abec617d3 Timestamp: 2021-02-02 16:50:13Z.

https://localhost:8443 - is address of my application and this address is included to redirect_uri in App registration.

But I don't think that mentioned "resource principal" is about redirect_uri.

So, how can I create "resource" principal in Azure AD and give it name "https://localhost:8443" ?

EvilOrange
  • 876
  • 1
  • 9
  • 17
  • Which authentication flow are you using? Is it the client credential flow? How do you define `scope`? – Carl Zhao Feb 03 '21 at 02:00
  • Actually, I don't know - client is Excel in that case. But I was able to resolve it by setting Application ID URI to https://localhost:8443 in "Expose API" tab. – EvilOrange Feb 03 '21 at 05:37

1 Answers1

1

In fact, this is the case. According to your error message, it says that the resource body of https://localhost:8443 cannot be found, which means that you set the scope to: https://localhost:8443 when requesting an access token.

However, you only set it to redirect_uri at the beginning, and did not set the Application ID URI to: https://localhost:8443 in the Expose API tab, so when you request the resource, the error message will report that it cannot be found the resource.

By the way, scope is different from redirect_uri. The scope puts the resource you want to access, while redirect_uri is just the callback url that is not the resource you want to access. This is why you still get an error when setting the url in redirect_uri.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19