Unable to Retrieve ADAL Token for Vault.azure.net Using Ruby ADAL Gem

Question

I'm using the ADAL ruby gem found below and following the user credentials example in the samples folder:

https://github.com/AzureAD/azure-activedirectory-library-for-ruby

I have set up a native client in Azure AD. I am able to successfully get a token for https://management.core.windows.net/ and perform deployments using that token. Also with that same token, I can use it in a HTTPS request via Postman to retrieve my azure key vault.

The problem:

I need to retrieve a secret from my key vault. Using the token above, I get a 401 unauthorized. I attempted to generate a new token, this time with the RESOURCE set as https://vault.azure.net and I get the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID {client-id}. Send an interactive authorization request for this user and resource.

I am working with Azure support and we have been following identical steps. He is using the .NET library while I am using a ruby gem. A notable difference between my request and Azure support:

Azure support's request to obtain a token sends a grant_type header with the value set as client_credentials. I have the same header sent but with password as the value.

I have also tried creating a web application rather than a native application to test this. I am following the samples given in the ruby gem repo. This also fails to retrieve a token for management.core and vault.azure.net. It does successfully get a token for the graph API.

Any help is appreciated on why I can't get a token for azure key vault using this library.

Answer 1

Azure support has confirmed that this is a bug for native applications using the password grant type (which is what should be used when authenticating a native application.)

Until Azure adds the key vault application permission setting in your registered AD application, you need to use the client ID of Powershell:

1950a258-227b-4e31-a9cf-717495945fc2