Reputation: 241
How I can get the AuthenticationContext to use the v2.0 endpoints?
I'm working on some code based on the onboarding sample code at https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect.
I've registered the app at https://apps.dev.microsoft.com/ so that means I need to use the oauth v2.0 endpoints.
I've changed the initial sign-in request to use the /oauth2/v2.0/authorize endpoint which works, and fires the ProcessCode method in my controller. I get the code, id_token and state back.
Then in the ProcessCode controller action I am calling the AuthenticationContext.AcquireTokenByAuthorizationCodeAsync method. This is going to /common/oauth2/token and returning "error":"invalid_grant", "error_description":"AADSTS70000: Authentication failed: Authorization Code is malformed or invalid."
I'm guessing the is returned because the code was issued by the v2.0 endpoint and the aquire token request needs to go to the /common/oauth2/v2.0/token endpoint?
So question is any idea how I can get the AuthenticationContext to use the v2.0 endpoints? This has been driving me nuts for a few days now.
BTW using Microsoft.IdentityModel.Clients.ActiveDirectory version 3.10.305231913
Thanks
Donal
Upvotes: 0
Views: 2633
Answers (1)
Reputation: 10656
Use the Microsoft Authentication Library which is built to work with the v2.0 endpoint. You can find it here: https://www.nuget.org/packages/Microsoft.Identity.Client
In this library, the AuthenticationContext has been replaced with ConfidentialClientApplication and PublicClientApplication. In your case, since you're getting the token in your web server which is a confidential client, you'll need to do this:
scopes = new string[] { "https://outlook.office.com/mail.read" }
var ctx = new ConfidentialClientApplication(clientId, redirectUri, clientCredential, tokenCache);
var t = await ctx.AcquireTokenByAuthorizationCodeAsync(scopes, authorizationCode);
Replace scopes with whatever you want to get access to with the access token. Keep in mind though that only a limited set of scopes are available in the v2.0 endpoint (mail, calendar & contacts from both the Outlook API and MS Graph).
EDIT All scopes from the MS Graph are now available in the v2 endpoint.
Upvotes: 1
Related Questions
- Can not get new access token microsoft api with app id via postman
- Azure Active Directory, Django Rest Social Auth
- Consent prompt does not ask for all permissions which are set in AD App after moving to v2.0 authority
- Azure AD openid connect not including token_type in response
- AZURE AD ADAL "error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid
- Mirosoft Graph API gives unsupported privileges error
- How to get id_token from TokenEndpoint of IdentityServer4 through authorization_code flow?