Resource parameter when requesting access token?

Question

I'm following this guide to authenticate with Microsoft Graph. I am able to successfully do the first request (for an authorization code) but am having issues with the second request (requesting an access token).

Params for the second request (for access token):

client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read

Error from second request:

{
  "error": "invalid_resource",
  "error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
  "error_codes": [
    50001
  ],
  "timestamp": "2017-05-03 15:25:42Z",
  "trace_id": <my trace id>,
  "correlation_id": <my correlation id>
}

However, my request works fine (returns a bearer and refresh token) if I add this extra parameter:

resource: https://graph.microsoft.com/

I don't see this resource parameter mentioned anywhere in the docs except the example under Getting an access token on this page.

My questions are:

1. Why am I getting the above error when my request seems to match the documentation?
2. When do I need to include the resource parameter?

EDIT: See Marc's answer below and my comment response.

Turns out I was using the following URLs:

https://login.microsoftonline.com/common/oauth2/authorize https://login.microsoftonline.com/common/oauth2/token

when I should have been using:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

After using the ones with v2.0, I didn't need to include my resource parameter in the token request anymore.

Answer 1

It looks like your providing the correct properties but not in the correct format. To get the token you need to issue a POST this data formatted for application/x-www-form-urlencoded to https://login.microsoftonline.com/common/oauth2/v2.0/token. From your example, it looks like your sending your data as JSON rather than x-www-form-urlencoded.

POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
           client_id=[APPLICATION ID]&client_secret=[PASSWORD]
           &scope=[SCOPE]&redirect_uri=[REDIRECT URI]

I wrote up a Microsoft v2 Endpoint Primer a few months back that might help walk you through the procedure.

Answer 2

According to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code,

The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured.

According to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes,

...The same is true for any third-party resources that have integrated with Azure AD. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks.

And then

By defining these types of permissions, the resource has fine-grained control over its data and how the data is exposed. A third-party app can request these permissions from an app user. The app user must approve the permissions before the app can act on the user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. App users can know exactly how an app will use their data, and they can be more confident that the app is not behaving with malicious intent.

So, to answer 1) I think you just need to specify the user.read permission in the Azure AD page for your application. To answer 2) you wouldn't specify a resource for a third-party application.