CODEWITHSUNDEEP
asp.net-identityazure-active-directoryasp.net-identity-2
Philip Nelson
Philip Nelson

Reputation: 995

Stuck between two errors in an Azure OAuth2 token request

I am implementing an OAuth2 provider for OWIN and Azure Active Director. FWIW, at this time the OpenId Connect option doesn't fit the requirements for this work.

I get an auth code, and returned to my reply url with the auth_code, state, and make the request for a token to "scheme://login.windows.net/{myguid}/oauth2/token. 

 // Build up the body for the token request
 var body = new List<KeyValuePair<string, string>>();
 body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
 body.Add(new KeyValuePair<string, string>("code", code));
 body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
 body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
 body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));

 // Request the token
 HttpResponseMessage tokenResponse =
     await httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
 string text = await tokenResponse.Content.ReadAsStringAsync();
 tokenResponse.EnsureSuccessStatusCode();

I get this error:

{"error":"invalid_resource","error_description":"AADSTS50001: Resource identifier is not provided.
Trace ID: 227f2af8-0837-4f22-ac0f-a09b3f9a6d50
Correlation ID: 3d783f11-44d0-4efa-8831-3dd581d653ed
Timestamp: 2014-08-08 21:59:49Z","error_codes":[50001],"timestamp":"2014-08-08 21:59:49Z","trace_id":"227f2af8-0837-4f22-ac0f-a09b3f9a6d50","correlation_id":"3d783f11-44d0-4efa-8831-3dd581d653ed"}

OK, I add the resource option:

 // Build up the body for the token request
 var body = new List<KeyValuePair<string, string>>();
 body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
 body.Add(new KeyValuePair<string, string>("code", code));
 body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
 body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
 body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));
 body.Add(new KeyValuePair<string, string>("resource", "https://myappid"));

{"error":"invalid_request","error_description":"AADSTS90027: The client 'xxxxx' and resource 'https://myappid' identify the same application.
Trace ID: 6c77f123-d75f-43a9-8117-b3f372891ee4
Correlation ID: d9081f8b-b690-4478-bf15-55325a9736ec
Timestamp: 2014-08-08 21:48:34Z","error_codes":[90027],"timestamp":"2014-08-08 21:48:34Z","trace_id":"6c77f123-d75f-43a9-8117-b3f372891ee4","correlation_id":"d9081f8b-b690-4478-bf15-55325a9736ec"}

so I must have the correct app id associated with my client id. hrrmph! I am clearly doing something wrong but just can't seem to see it. Any suggestions?

Upvotes: 10

Views: 9849

Answers (3)

Dushyant Gill
Dushyant Gill

Reputation: 4004

OAuth deals with 4 parties: 1) resource owner aka user 2) resource app: usually a Web API that protects access to resources owner by the user 3) client app: a web app or mobile app or even another Web API that wants to access the resource on-behalf of the user 4) the authority: the secure token service that authenticates the user and/or the client app and issues a delegated access token to the client to access the resource.

Your code is using the same identifier for the client app as well as the resource - essentially it is trying to request for an access token to access itself. It can be argued that this scenario should be allowed - but it isn't today by Azure AD.

Please do the following: register a resource application in Azure AD. In its manifest add a new an appPermission (follow this post). Then, go to the client application configuration page and scroll to the bottom - in the 'Permissions to other applications' section, add the resource permission to the client applications list of "delegated permissions".

Now, use the resource application's AppIDURI or ClientID in your OAuth request and stuff should work.

Hope this helps.

Upvotes: 6

wutzebaer
wutzebaer

Reputation: 14863

I had the same problem, i just wanted to implement a user-login.

After trying 1000 things (with this post amongst others) i found out that i can use the Microsoft.Azure.ActiveDirectory-id as resource paramter. On this way i don't have to create an second app.

http://blogs.msdn.com/b/besidethepoint/archive/2012/10/23/getting-started-with-azure-active-directory.aspx

nameValuePairs.add(new BasicNameValuePair("resource", "00000002-0000-0000-c000-000000000000"));

and got the token

UPDATE:

the azure support suggested me to use https://graph.windows.net/ :

nameValuePairs.add(new BasicNameValuePair("resource", "https://graph.windows.net/"));

Upvotes: 22

gye
gye

Reputation: 1414

Using the "openid" scope in the authorization request should trigger an OpenID Connect flow that would return an id_token and does not require a resource.

Upvotes: 8

Related Questions