5

I use this URL to get id_token:

https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=MY_CLIENT_GUID_ID_IN_HERE&
redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn&nonce=alfaYYCTxBK8oypM&
state=6DnAi0%2FICAWaH14e

and this return result like this

http://localhost:3000/auth/openid/return?
code=AAA_code_in_here&
id_token=eyJ0eXAi_xxxx_yyyy_in_here&
state=6DnAi0%2FICAWaH14e&
session_state=xxxx_guid_xxxxx

and then i use the id_token to query Graph (use POST man) Graph API to query groups

i have see this post InvalidAuthenticationToken and CompactToken issues - Microsoft Graph using PHP Curl but make no sense.

Improve this question
0

5 Answers 5

Reset to default
4

OATH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OATUH code into a Bearer Token. This is the step you are missing here.

I would also recommend using the v2 Endpoint which is a lot easier to work with (particularly with Graph). I wrote a v2 Endpoint Primer that walks through the process and may be helpful as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I am using v1 endpoint, could you also see my this question? stackoverflow.com/questions/37872642/…
The same workflow (redirect->code->token) applies to v1. The reason I recommend v2 is that it is much easier to maintain and scopes are defined by the app itself rather than the registration record.
2

You can't use the token directly, there is one more step to exchange the code you get from the response url into token.

Here is my C# code (using Microsoft.IdentityModel.Clients.ActiveDirectory)

      public static AuthenticationResult ExchangeCodeForToken(string InTenantName, string InUserObjId, string InRedirectUri, string InApplicationAzureClientID, string InApplicationAzureClientAppKey)
      {
                Check.Require(!string.IsNullOrEmpty(InTenantName), "InTenantName must be provided");
                Check.Require(!string.IsNullOrEmpty(InUserObjId), "InUserObjId must be provided");

                if (CanCompleteSignIn) //redirect from sign-in
                {
                    var clientCredential = new ClientCredential(InApplicationAzureClientID, InApplicationAzureClientAppKey);
                    var authContext = new AuthenticationContext(Globals.GetLoginAuthority(InTenantName), (TokenCache)new ADALTokenCache(InUserObjId)); //Login Authority is https://login.microsoftonline.com/TenantName
                    return authContext.AcquireTokenByAuthorizationCode(VerificationCode, new Uri(InRedirectUri), clientCredential, Globals.AZURE_GRAPH_API_RESOURCE_ID); //RESOURCE_ID is "https://graph.microsoft.com/"
                }

                return null; 
       }
Improve this answer

Comments

2

I had this issue today when I was playing with graph API, the problem in my case was how I was generating the token.

I used postman for generating the token wherein the Auth URL section I was adding the resource = client_id whereas it should be the graph URL. After making that change I was able to make the call via postman.

GraphApi

In order for the above to work, please make sure your application in Azure has delegated permissions to access the Graph API.

Improve this answer

Comments

1

To receive the access token and use it for profile requests, you don't need anything from server-side, you can implement the oAuth2 just from the client side.

Use the following URL for login:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=YOUR_CLIENT_ID&resource=https://graph.microsoft.com&response_type=token&redirect_uri=YOUR_REDIRECT_URI&scope=User.ReadBasic.All

After successful login, user will redirected to the page with access_token parameter. Then use the following AJAX call to fetch user info:

var token = login_window.location.href.split('access_token=').pop().split('&')[0];
$.ajax({
    url: "https://graph.microsoft.com/v1.0/me",
    type: "GET",
    beforeSend: function(xhr){xhr.setRequestHeader('Authorization', 'Bearer '+token);},
    success: function(data) {
      alert('Hi '+data.displayName);
      console.log(data);
    }
});

Note that you may need to enable oauth2AllowImplicitFlow:true setting from your Azure Active Directory application manifest file.

Set "oauth2AllowImplicitFlow": false to "oauth2AllowImplicitFlow": true.

Lastly, ensure that your app has required permissions for Microsoft Graph which are sign in users and View users' basic profile

Improve this answer

Comments

0

An updated answer to get access with new applications:

  1. Register your app in the app registration portal.

  2. Authorization request example:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345

Authorization response will look like this:

https://localhost/myapp/?code=M0ab92efe-b6fd-df08-87dc-2c6500a7f84d&state=12345

  1. Get a token

    POST /{tenant}/oauth2/v2.0/token HTTP/1.1

    Host: https://login.microsoftonline.com

    Content-Type: application/x-www-form-urlencoded

    client_id=6731de76-14a6-49ae-97bc-6eba6914391e

    &scope=user.read%20mail.read

    &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...

    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

    &grant_type=authorization_code

    &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps

  2. Use the access token to call Microsoft Graph

    GET https://graph.microsoft.com/v1.0/me

    Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw

    Host: graph.microsoft.com

Source:

https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0

You can also get an access token without a user, see here:

https://learn.microsoft.com/en-us/graph/auth-v2-service

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.