0

I can not get the access token while calling Microsoft authentication. I call this method with sign-in button:

public ActionResult OauthRedirect()
{
   var redirectUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?" +
                     "&scope=Calendars.ReadWrite offline_access User.Read" +
                     "&response_type=code" +
                     "&response_mode=query" +
                     "&state=de-medewerker" +
                     "&redirect_uri=https://localhost:44344/Admin/oauth/callback" +
                     "&client_id=myClientID";
   return Redirect(redirectUrl);
}

This is OAuthController:

[Area("Admin")]
public class OAuthController : Controller
{
    string tokensFile = "D:\\tokens.json";
    public ActionResult Callback(string code,string state, string error)
    {
        if (!string.IsNullOrWhiteSpace(code))
        {
            RestClient restClient = new RestClient();
            RestRequest restRequest = new RestRequest();

            restRequest.AddParameter("client_id", "MyClientID");
            restRequest.AddParameter("scope",  "Calendars.ReadWrite offline_access User.Read");
            restRequest.AddParameter("redirect_uri", "https://localhost:44344/Admin/oauth/callback");
            restRequest.AddParameter("code", code);
            restRequest.AddParameter("grant_type", "authorization_code");
            restRequest.AddParameter("client_secret", "MyClientSecret");

            restClient.BaseUrl = new Uri("https://login.microsoftonline.com/common/oauth2/v2.0/authorize?");
            var response = restClient.Post(restRequest);

            if (response.StatusCode==System.Net.HttpStatusCode.OK)
            {
                System.IO.File.WriteAllText(tokensFile, response.Content);
                return RedirectToAction("Index", "Home");
            }
        }
        return RedirectToAction("Error", "Home");
    }
}

when I start the project I get a 183 KB HTML format string in 'response.Content' that saves in tokens.json file when I change the .json to .html, inside of file is this text:

" We can't sign you in Your browser is currently set to block cookies. You need to allow cookies to use this service. Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser. "

cookiesdisabled

But I checked in my browser and the cookie is not disabled.

The debug image

Any advice or assistance would be greatly appreciated.

Mahmood
  • 120
  • 2
  • 9

2 Answers2

0

In the second step your POST should be to the token endpoint:

  • /oauth2/v2.0/token

Also use this content-type header for the POST request. I suspect that you're sending the client secret as JSON and this is why Azure is not receiving it correctly:

request.AddHeader("content-type", "application/x-www-form-urlencoded");

Your OAuth controller also needs to write a secure cookie before the redirect if it is going to return to the client like that. Using the built-in OIDC support may make this easier.

BASE URL

Worth checking also that you are using the correct base URL. My development account uses a tenant based URL:

https://login.microsoftonline.com/7f071fbc-8bf2-4e61-bb48-dabd8e2f5b5a/v2.0/.well-known/openid-configuration

Zoe
  • 27,060
  • 21
  • 118
  • 148
Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks, I solved my mistake about /oauth2/v2.0/token and added `response.ContentType = "application/x-www-form-urlencoded";` but still does not work. [New debug image](https://ibb.co/cgHgWVb). This is [GitHub repo](https://github.com/mahmood-ghaem/OutlookCalendar) – Mahmood Dec 16 '21 at 09:50
  • Looks like you may be sending JSON - see my updated answer. – Gary Archer Dec 16 '21 at 13:02
  • Please note that newbedev is a Stack Exchange scraper; don't link to it. Instead, google the text or title, and find the correct link to the network, instead of giving scrapers more traffic that they don't deserve. – Zoe Dec 26 '21 at 16:10
0

The token API endpoint is https://login.microsoftonline.com/common/oauth2/v2.0/token.

Please update your BaseUrl to https://login.microsoftonline.com/common/oauth2/v2.0/token instead of https://login.microsoftonline.com/common/oauth2/v2.0/authorize?

OAuthController:

[Area("Admin")]
public class OAuthController : Controller
{
    string tokensFile = "D:\\tokens.json";
    public ActionResult Callback(string code,string state, string error)
    {
        if (!string.IsNullOrWhiteSpace(code))
        {
            RestClient restClient = new RestClient();
            RestRequest restRequest = new RestRequest();

            restRequest.AddParameter("client_id", "MyClientID");
            restRequest.AddParameter("scope",  "Calendars.ReadWrite offline_access User.Read");
            restRequest.AddParameter("redirect_uri", "https://localhost:44344/Admin/oauth/callback");
            restRequest.AddParameter("code", code);
            restRequest.AddParameter("grant_type", "authorization_code");
            restRequest.AddParameter("client_secret", "MyClientSecret");

            restClient.BaseUrl = new Uri("https://login.microsoftonline.com/common/oauth2/v2.0/token");
            var response = restClient.Post(restRequest);

            if (response.StatusCode==System.Net.HttpStatusCode.OK)
            {
                System.IO.File.WriteAllText(tokensFile, response.Content);
                return RedirectToAction("Index", "Home");
            }
        }
        return RedirectToAction("Error", "Home");
    }
}
Purushotam Sah
  • 86
  • 1
  • 5
  • Thanks, I solved my mistake about /oauth2/v2.0/token but still does not work. [New debug image](https://ibb.co/cgHgWVb). This is [GitHub repo](https://github.com/mahmood-ghaem/OutlookCalendar). Shall I do something in the startup file? – Mahmood Dec 16 '21 at 09:56
  • @MahmoodGhaemmaghami as the message shows the client secret you have given is invalid. Please verify once. – Purushotam Sah Dec 16 '21 at 09:58
  • Thanks for your help and [great learning video series](https://www.youtube.com/playlist?list=PLlaJNuOIC_9-xCapKiQ-T5TKVu8ZSLpQR) – Mahmood Dec 16 '21 at 10:33