0

I am building a team's configurable tab. As part of the requirement, I need to implement SSO and then call MS Graph API calls to get the list of user in the team.

I am following the below artical that explains the entire flow:

https://www.youtube.com/playlist?list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-

So far, I am succesfully able to perfom the SSO as mentioned in the following 2 videos: https://www.youtube.com/watch?v=J3KCjpZGiEI&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=2

https://www.youtube.com/watch?v=TRfZDx7N6Fw&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=4

I am able got the ID Token + Access Token from SSO but when I am trying to exchange this token to get the Graph API access token (as mentioned in https://www.youtube.com/watch?v=E6bbyPVK8Q0&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=5), I am getting the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID <webapi_ app_id>.

I went through the comment mentioned in the following stack overflow post, but it didn't resolve my issues:

AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>

Here is my code to get the Graph API access token:

 const clientId = {clientId};
  const clientSecret = {clientSecret};
  const SSOToken = req.query.ssoToken

  const aadTokenEndPoint = `https://login.microsoftonline.com/${
    jwtDecode<any>(SSOToken).tid
  }/oauth2/v2.0/token`;

  const oAuthOBOParams = {
    grant_type: "urn:ietf:params:oauth:grant-type:jwt:bearer",
    client_Id: clientId,
    client_secret: clientSecret,
    assertion: SSOToken,
    requested_token_use: "on_behalf_of",
    scope: "https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All",
  };

  const oAuthOboRequest = Object.keys(oAuthOBOParams)
    .map((key, index) => `${key}=${encodeURIComponent(oAuthOBOParams[key])}`)
    .join("&");

  const HEADERS = {
    accept: "application/json",
    "content-type": "application/x-www-form-urlencoded",
  };
  log({ HEADERS, oAuthOboRequest, oAuthOBOParams, aadTokenEndPoint });
  try {
    const response = await axios.post(aadTokenEndPoint, oAuthOboRequest, {
      headers: HEADERS,
    });
    log(response);
    if (response.status === 200) {
      res.status(200).send(response.data);
    } else {
      if (
        response.data.error === "invalid_grant" ||
        response.data.error === "interaction_required"
      ) {
        res.status(403).json({ error: "consent_required" });
      } else {
        res.status(500).json({ error: "Could not exchange access token" });
      }
    }
  } catch (error) {
    res.status(400).json({ error: `unknown error ${error}` });
  }

API Permission enter image description here

Expose API enter image description here

**Authentication - I just added the URL but I does not have the auth-end receiving point in server ** enter image description here

Assertion-Access_Token Code enter image description here

Team's Permission enter image description here

Accepting the Pop-up permission

enter image description here

Postman

enter image description here

Devesh Tiwari
  • 85
  • 1
  • 12

1 Answers1

1

From your API permissions screenshot, I observed that you added User.Read.All permission of Application type which won't work with on-behalf-of flow.

I registered one Azure AD application and granted API permissions same as you like this:

enter image description here

When I tried to generate token via Postman by passing below parameters, I got same error as you like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All
assertion:assertion
requested_token_use:on_behalf_of

Response:

enter image description here

To resolve the error, you need to add User.Read.All permission of Delegated type and grant admin consent to it like below:

enter image description here

When I send the request again after adding above permission, I got access token successfully like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All
assertion:assertion
requested_token_use:on_behalf_of

Response:

enter image description here

In your case, make sure to add User.Read.All permission of Delegated type and grant admin consent as you are passing it in scope parameter.

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Hi @Sridevi, thanks for the details comment. I created a new app and tried that but I am still getting the same error. I have updated my question and added screenshot of every step that I am doing. I really don't understand why it's not working for me. – Devesh Tiwari May 29 '23 at 05:52
  • So, you got the same error in Postman too... Could you include how you got the assertion value? – Sridevi May 29 '23 at 06:11
  • But in the new application, you missed adding applications under `Authorized client applications` in **Expose an API** page. – Sridevi May 29 '23 at 06:14
  • Hey @Sridevi, for assertion value, I am using the access_token values received from the following request: authentication .getAuthToken({ resources: [process.env.TAB_APP_URI], silent: false, } as authentication.AuthTokenRequestParameters) .then((token) => { //assertion = token setSsoToken(token); setName(decoded!.name); app.notifySuccess(); }) – Devesh Tiwari May 29 '23 at 06:36
  • Regarding missed adding applications - I did added it. I just forgot to update the question with latest screenshot. Also, regarding the Authentication settings in Azure - I entered an random endpoint. I don't have any end point accepting that. Is that ok? – Devesh Tiwari May 29 '23 at 06:38
  • I also added the screenshot of the code that gives me the assertion value i.e. access token received from MS Team's tab once I accept term in tab. – Devesh Tiwari May 29 '23 at 06:43
  • Is there any issues with how I am getting the assertion value? I am just passing the access token I get from team tab flow. – Devesh Tiwari May 29 '23 at 06:44
  • Could you decode that assertion by pasting it in jwt.ms and check `aud` and `scp` claims? – Sridevi May 29 '23 at 06:47
  • Here is the details: "aud": "application-Id", "scp": "acces_as_user", it's same scope name that I added in 'Expose API' section in Azure – Devesh Tiwari May 29 '23 at 06:48
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/253872/discussion-between-sridevi-and-devesh-tiwari). – Sridevi May 29 '23 at 07:07
  • In App Permission section - Azure, I am seeing 'Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers. Add MPN ID to verify publisher' warning message. May be, due to this I am getting that error. – Devesh Tiwari May 30 '23 at 04:45
  • Hi @Sridevi, I was able to get the Graph API token and got the user list in Team's tab. However, when I tried to install the tab in another organization's MS Teams, I got the SSO access_token but when I tried to exchange the token for Graph API token, I got the same error. Any Idea why it's happening? We are building a Tab that will be available in MS Team's App Store so it should work for all the organization. – Devesh Tiwari Jun 08 '23 at 06:02