I'm testing out the OneDrive SDK .NET sample app here. However it's unclear to me what values I need for the AadReturnUrl and AadTargetUrl constants which are used with the AdalAuthenticationProvider and OneDriveClient classes respectively. The GitHub readme for the project refers to this page, but that page isn't clear either.
Also: for a native client app, what value do you use for the the Redirect URI when you configure the app in Azure AD? Is this value related to the required URLs above?
Edit: I tried the suggestion from the first comment and received the following error, from this code in FormBrowser.SignIn (where AadReturnURL = http://myactualdomain.onmicrosoft.com; this is a native app, and I assume this can be a 'dummy' URL if I don't have the means to display a web page):
var adalAuthProvider = new AdalAuthenticationProvider(FormBrowser.AadClientId, FormBrowser.AadReturnUrl);
this.oneDriveClient = new OneDriveClient(FormBrowser.AadTargetUrl + "/_api/v2.0", adalAuthProvider);
authTask = adalAuthProvider.AuthenticateUserAsync(FormBrowser.AadTargetUrl);
Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Microsoft.IdentityModel.Clients.ActiveDirectory Error: 4 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
OneDriveApiBrowser.vshost.exe Error: 0 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
AadTargetUrl should be the URL of your service. For example, https://contoso-my.sharepoint.com/_api/v2.0/ would be the URL for your OneDrive for Business on the Contoso tenant. You can get more information about getting your target URL using the Discovery Service.
AadReturnUrl is the redirect URL you configured in the Azure Management Portal (as you correctly surmised). It's commonly something like http://localhost:8080 for local apps, but could be something different for web apps. You can get more information about that in the article you already linked.
Related
I am trying to secure the Azure functions using Azure Active Directory following the note.
When the link https://xxxfunction1.azurewebsites.net/api/function1 is entered, the browser redirects to AAD:
https://login.microsoftonline.com/[tenent]/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fxxxfunction1.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=[client_id]&scope=openid+profile+email&response_mode=form_post&nonce=[nonce]state=redir%3D%252Fapi%252Ffunction1
and the error returns:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application
The platform configurations in the AAD client:
The Authentication & Authorization in Azure function xxxfuntion1 is configured to AzureAD client xxxfunction1app:
The same error with Advanced mode:
Any idea why it says the error on the reply URL please?
Your error is very simple. Your redirect_uri is decoded as: https://xxxfunction1.azurewebsites.net/.auth/login/aad/callback, but you configure the redirect_uri in the AAD client as:https://xxxfunction1.azurewebsites.net/.auth/login/aad/callcack, so the response url does not match error, you only need to change callcack to callback.
Make sure that the URL matches exactly and double-check that the Application ID and tenant ID are matching. It might be trying to resolve to a different application or tenant.
The identifier URI should be: https://xxxfunction1.azurewebsites.net
Please go to Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the App ID 6419ae-xxxx-xxxx-xxxx > Under Authentication blade of the application update the Redirect URI to ttps://xxxfunction1.azurewebsites.net/api/function1
Unable to get the access token by directly passing the username and password
Endpoint : https://login.microsoftonline.com/{tenant_id}/oauth2/token
grant_type: password
client_id: APPLICATION_ID
resource: https://graph.microsoft.com/.default
username: <username#microsoft.com>
password: <password>
Scope : openid
App is created in https://apps.dev.microsoft.com/
Getting Invalid grant error:
{
"error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 1ff96bc3-29c8-48f1-b7cc-f77c01525500\r\nCorrelation ID: 9821fdf5-25dc-4b07-84b3-f084194ea123\r\nTimestamp: 2018-09-14 20:04:01Z",
"error_codes": [
70002,
50126
],
"timestamp": "2018-09-14 20:04:01Z",
"trace_id": "1ff96bc3-29c8-48f1-b7cc-f77c01525500",
"correlation_id": "9821fdf5-25dc-4b07-84b3-f084194ea123"
}
UPDATE
Looks like there are more than one issues in play here.
You were using Azure AD token endpoint but had registered your application with Azure AD B2C by mistake (so case 2 as per my original answer).
Now after correcting that one, you should be using clientid and client secret for this new application that is registered with Azure AD.
Make sure you have added Microsoft Graph permissions for your application in Azure AD under "required permissions" and at the end of selecting appropriate permissions, make sure you press on the "Grant Permissions" button to give consent.
Looking at the error message and code you are getting (invalid_grant and "AADSTS70002: Error validating credentials. AADSTS50126"), I tried out ROPC exactly like you from Postman with a test application of my own and I tried multiple different combinations of passing wrong inputs, but the exact error codes you see come only in scenario where either my password or the username is incorrect (as the message says :)). In all other cases, error code will be different.
So, for username - make sure you give fully qualified name e.g. rohitsaigal#mydomain.onmicrosoft.com
for password - pretty obvious.
Give it another try based on instructions above and lets see how it goes.
ORIGINAL ANSWER
App is created in https://apps.dev.microsoft.com/
This means that your application is registered with Azure AD B2C.
Where you have registered your application isn't matching with the token endpoint you are using.
Case 1 - You are looking to use Azure AD B2C
Resource Owner Password Credentials Grant is still in public preview and you will need to follow the instructions provided by Microsoft here -
Configure the resource owner password credentials flow in Azure AD B2C
The endpoint you will hit to get the token will also be different that the one you have mentioned.
https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth
Case 2 - You are looking to use Azure AD B2B
In this case you are using the correct end point to get the token, but you have wrongly registered your application with Azure AD B2C, you will need to change that and register your application from Azure Portal.
Instructions and details here - Integrating applications with Azure Active Directory
Just in case you need to read up on differences between Azure AD B2B v/s B2C - look at this SO Post
Here is another useful SO Post that gives information about registering your application through Azure Portal v/s https://apps.dev.microsoft.com (New application registration portal)
It seems like you didn't Grant Permissions to your app. Make sure all of the users are added to the app and ensure that you have the correct web.config parameters.
Also, ensure that the username and password are correct for the managed domain to connect. I've gotten this error before using the incorrect user. A regular azure global admin user may not be able to authenticate. You need to make sure you are using a CSP admin user.
This works https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
But keep in mind that there are limitations like:
You cannot use when a password is expired or needs to be changed.
MFA is not supported
Social logins are not supported
I am making a call to https://api.box.com/oauth2/token to get a token for a user.
I get a 400 with the following error:
Cannot obtain token based on the enterprise configuration for your app
I don't see this error message defined anywhere. Any ideas what I'm doing wrong?
The issue here was that I was requesting a token for a non app user and my application was configured to allow access to app users only.
I have portal.office.com account and want to access OneDrive for business at tenant-my.sharepoint.com by means of my REST application.
I have registered my application in Azure Active Directory and starting Oauth2 authentication like this:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id='+ App.Key + '&redirect_uri=http://localhost:8889/';
On this phase I have got AuthCode from azure and next phase is obtaining session tokens.
As next step in authentication I'm doing POST request to https://login.windows.net/common/oauth2/token
with params:
'client_id=' + App.Key
+ 'client_secret=' + App.Secret
+ 'code=' + AuthCode
+ 'redirect_uri=http://localhost:8889/'
+ 'grant_type=authorization_code'
+ 'resource='+URLEncode('syncovery1');
Unfortunately I'm getting error in response:
{"error":"invalid_resource","error_description":"AADSTS50001: The application named syncovery1 was not found in the tenant named konnov.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 1af2ced2-b2bb-4568-8a87-bd2d1186cf9a\r\nCorrelation ID: 15dcda2c-0599-4279-8744-27c61e6912a9\r\nTimestamp: 2015-10-06 07:46:03Z","error_codes":[50001],"timestamp":"2015-10-06 07:46:03Z","trace_id":"1af2ced2-b2bb-4568-8a87-bd2d1186cf9a","correlation_id":"15dcda2c-0599-4279-8744-27c61e6912a9"}'
Please suggest the ways to a possible solution. In my portal.office.com account I can not find any place where third party application might be associated with the account. Can you guess the meaning of the 'resource' param in the last request?
What services or licences in portal.office.com should be active to allow authentication? Maybe I just don't have OneDriveForBusiness subscription activated?
Thanks in advance,
Resource in the request means the resource which you want to access in the particular tenant. And so the Resource should be the App Id which you have registered in azure ad ("not App name"). If 'syncovery1' is the name of the application then it returns error. And one more point to add, do not encode the resource as the endpoint may not recognize it. And
For example, if you want to get all the resource endpoint of office365 then the resource would be - _https://api.office.com/discovery/.
Similarly, if the App id of my app is _https://mydrive.sharepoint.com/ registered with app name as "mydrivesync", then the resource should be _https://mydrive.sharepoint.com/.
Follow this official documentation for complete details.
While debugging, we observe following behavior:
1) When trying to get encryption key from server then error on both (iOS or Android) platform
response [https://xxxx.xxxx.com:443/worklight/apps/services/random]
success: Exception thrown by application class
'com.ibm.ws.webcontainer.session.impl.HttpSessionContextImpl.checkSecurity():685'
SESN0008E: A user authenticated as anonymous has
attempted to access a session owned by user:NewRealm/CN=test
user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.
2) When trying to read a stored value error on android is [Logcat]
Android Message: Uncaught 9 at
file:///data/data/com.xxxx.xxxxapp/files/www/default/wlclient/js/encryptedcache.js:63
Where try to call WL.EncryptedCache.read
Worklight version used is 5.0.5 Consumer Edition (with Oracle 11i) on
Windows 2008 R2
WebSphere Liberty profile
Worklight server is sitting behind IBM Datapower XI52. All SSL calls to the server are going via DP.
Authenticator - WebSphereFormBasedAuthenticator & LoginModule - WASLTPAModule
The following is not really an answer, since I'm not familiar with authentication (LTPA, FormBasedAuth, Data Power, etc.)... just a couple of comments that could help you debug/isolate the issue.
Looks like a problem with authentication:
A user authenticated as anonymous has attempted to access a session
owned by user:NewRealm/CN=test user,OU=Temporary
Users,OU=Acc,DC=xxxx,DC=com.
Not with the Encrypted Offline Cache (EOC).
EOC will try to get a random token calling the following function:
WL.EncryptedCache.secureRandom(function (data) {
console.log(data);
});
It should output something like this:
response [/apps/services/random] success: 9053bdcfd902aac3dfb59a9874c9cf55223b7d17
9053bdcfd902aac3dfb59a9874c9cf55223b7d17
You can view the functions source code typing the following in a JS console:
WL.EncryptedCache.secureRandom
If you're using Google Chrome developer tools there's a checkbox for Log XMLHttpRequests when you click on the gear icon > General > Console.
You can also try to request the URL directly. Assuming the host is localhost, port is 10080 and project name is wlproj:
http://localhost:10080/wlproj/apps/services/random
9053bdcfd902aac3dfb59a9874c9cf55223b7d17
You can view HTTP traffic with Wireshark or Charles Proxy.
I imagine this will fix the EOC issue for you, if you don't mind generating the random token locally (less security, AFAIK):
WL.EncryptedCache.secureRandom = function(callback){callback(Math.random()+"")}
For example:
Notice it never goes to the server, everything is done locally.
A user authenticated as anonymous has attempted to access a session owned by user:NewRealm/CN=test user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.
This usually means that there is a conflict with the session sent by the user (the session cookie) belongs to a user (in this case), but the LTPA token sent as a cookie was not sent or was not valid. There could be a few causes of this. This best way is to do a trace between datapower and the worklight server to make sure an LTPA token is even being sent to the worklight server. If it is, verify all of the LTPA requirements are met (synchronized time, same private key on both machines).