Reputation: 2939
JWT CSOM/REST Azure Active Directory
We have been trying to make requests to sharepoint using CSOM/REST Authentication Bearer header requests with a token. It is related to this question below:
C# CSOM Sharepoint Bearer request from azure active directory
There is only one link/example that works all others including the android ADAL approach don't work.
https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/
They don't seem to return as long a token, when we look at the token in JWT parser, we can see that the scp value is different, the one that fails has user_impersonate, but the working one has AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write. The aud url is also different, are one or both of these the problem and how do I get it working?
This is the ones that fails:
{
"aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ..,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"scp": "user_impersonation",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
This is the ones that works:
{
"aud": "https://srmukdev.sharepoint.com/",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ...,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "...",
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"puid": "...",
"scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
Upvotes: 0
Views: 318
Answers (1)
Reputation: 14649
The access token is for the specific resource by checking its aud claim. The first token is used for authentication for your custom resource.
To get the token for the specific resource, we can use the parameter resource to specify which resource we want to request for the token. For example, if I want to get the token for the Microsoft Graph resource, we can construct the request like below:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd
If you want to acquire the access token for https://srmukdev.sharepoint.com/, you need to assign the value of resource parameter with https://srmukdev.sharepoint.com/ in the request according to the flow you were using.
More detail about the flows Azure AD support to acquire access token, you can refer the link below:
Azure Active Directory Authentication Protocols
Upvotes: 1
Related Questions
- JWT and Azure AD to secure Spring Boot Rest API
- Azure AD Multi Tenant ,.Net Core Web API with JWT Token
- Login to my API using an Azure AD JWT (id_token)
- Azure AD Authentication in ASP.NET Core 2.2
- Azure Active Directory Client Credential Flow
- Authentication basics in API Backend (.NET Core) using Azure AD
- JWT Token based Authentication in Azure AD
- Get token for Microsoft API with JWT
- Windows Azure Active Directory Bearer Authentication
- C# CSOM Sharepoint Bearer request from azure active directory