CODEWITHSUNDEEP
azuregoazure-active-directoryazure-ad-graph-api
kaizenCoder
kaizenCoder

Reputation: 2229

Azure AD Go SDK daemon application list users returns "Access Token missing or malformed"

I am attempting to retrieve user details via the graph API Go SDK. I have a daemon application which has been setup with adequate permissions that I have validated via curl as shown below:

Get token

curl \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data 'client_id={client_id}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret={client_secret}&grant_type=client_credentials' \

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

Request

curl -X GET \
 -H "Authorization: Bearer XYZ...." \
"https://graph.microsoft.com/v1.0/users"

I successfully get a list of users.

However, when I attempt this via the Go SDK it fails.

I have set the required environment variables for authentication as per https://github.com/Azure/azure-sdk-for-go#more-authentication-details:

- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.
- `AZURE_CLIENT_ID`: Specifies the app client ID to use.
- `AZURE_CLIENT_SECRET`: Specifies the app secret to use

Code

func main() {

    authorizer, err := auth.NewAuthorizerFromEnvironment()
    if err != nil {
        fmt.Println(err)
    }

    client := graphrbac.NewUsersClient(os.Getenv("AZURE_TENANT_ID"))
    client.Authorizer = authorizer

    if _, err := client.List(context.Background(), "", ""); err != nil {
        fmt.Println("list users", err)
    }
}

Error

list users graphrbac.UsersClient#List: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}]

The documentation here to me suggests that the authentication and token is handled by the auth package.

Update 1

I ran it debug mode by setting AZURE_GO_SDK_LOG_LEVEL=DEBUG and found that the GET request URL is different to what I used in my curl command:

(2020-06-16T15:31:49.3790420+10:00) INFO: REQUEST: GET https://graph.windows.net/{tenant_id}/users?api-version=1.6
User-Agent: Go/go1.13.11 (amd64-darwin) go-autorest/v14.1.1 Azure-SDK-For-Go/v43.2.0 graphrbac/1.6
Authorization: **REDACTED**
(2020-06-16T15:31:50.5191120+10:00) INFO: RESPONSE: 401 https://graph.windows.net/{tenant_id}/users?api-version=1.6

If I use that URL in my curl command I get:

{"odata.error":{"code":"Authentication_ExpiredToken","message":{"lang":"en","value":"Your access token has expired. Please renew it before submitting the request."}}}%

Upvotes: 0

Views: 1280

Answers (2)

Anton Yurchenko
Anton Yurchenko

Reputation: 619

It seems that ADAL is already deprecated although MSAL is not yet ready (in an SDK).

Azure Console: enter image description here

microsoft-authentication-library-for-go: enter image description here

Which means that @hury-shen answer is still valid.

Upvotes: 0

Hury Shen
Hury Shen

Reputation: 15754

It seems the sdk uses azure ad graph api but not microsoft graph api in the backend.

Azure AD graph api shows like: https://graph.windows.net/{tenant_id}/users?api-version=1.6

Microsoft graph api shows like: https://graph.microsoft.com/v1.0/users

So you need to add the azure ad graph permissions for the application registered in your azure ad, but not add the microsoft graph permissions. Please add the permission by following the steps below:

1. Go to your application in your azure ad and click "API permissions" --> "Add a permission" --> "Azure Active Directory Graph". enter image description here

2. Add the "Directory" permission. enter image description here

3. Don't forget grant admin consent for it.

Upvotes: 3

Related Questions