Authentication Failed while using Azure AD Bearer Token, to return list of containers [Azure Blob] [Azure AD OAuth 2.0] [REST API]

Question

I have successfully tried performing authentication using the Shared key and then make REST calls to Azure Blob. Now I am trying to Authenticate using AzureAD OAuth 2.0, to receive a Bearer token and pass that for Authentication to make REST calls. I am successfully getting the Bearer token but unable to perform authentication.

Here's the code:

const request = require("request");
require("dotenv").config();

const account = process.env.ACCOUNT_NAME || "";
const key = process.env.ACCOUNT_KEY || "";
const tenantId = process.env.AZURE_TENANT_ID || "";
const clientId = process.env.AZURE_CLIENT_ID || "";
const clientSecret = process.env.AZURE_CLIENT_SECRET || "";

const options = {
  url: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
  formData: {
    grant_type: "client_credentials",
    client_id: clientId,
    scope: "https://graph.microsoft.com/.default",
    // scope:"http://storage.azure.com/.default",
    client_secret: clientSecret,
  },
  headers: {
    "Content-Type": `application/x-www-form-urlencoded`,
  },
};

var strTime = new Date().toUTCString();

function callback(error, response, body) {
  const options = {
    url: `https://${account}.blob.core.windows.net/?comp=list`,

    headers: {
      Authorization: `Bearer ${JSON.parse(response.body).access_token}`,
      "x-ms-date": strTime,
      "x-ms-version": "2019-02-02",
    },
  };

  request(options, function (error, response, body) {
    console.log("Response is: ", response.statusCode, response.statusMessage);
  });
}

request(options, callback);

It shows Auth failed when I try to run it.

 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Here are some links for Reference: Service-Service calls using client credentials, OAuth 2.0 client credentials flow

EDIT: The scope was tried for both the links, options url updated from https://login.microsoftonline.com/${tenantId}/oauth2/token to https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token

Screenshot of Access Control.

But still, the same error persists.

Answer 1

Try to change the scope with https://${account}.blob.core.windows.net/.default or https://storage.azure.com/.default.

Notes:

1. scope is supported in "v2.0". If you use v1.0, scope needs to be replaced with resource, code looks like resource: "https://${account}.blob.core.windows.net/".

2. When using formData, you must set "multipart/form-data".

3. Navigate to Azure storage -> Access control(IAM) -> Add role assignment to add a service principal to your storage account

Code:

const request = require("request");
require("dotenv").config();
const axios = require('axios');
const qs = require('qs');

const account = "";
const key = "";
const tenantId = "";
const clientId = "";
const clientSecret = "";

const postData = {
  client_id: clientId,
  scope: `https://${account}.blob.core.windows.net/.default`,
  client_secret: clientSecret,
  grant_type: 'client_credentials'
};

axios.defaults.headers.post['Content-Type'] =
  'application/x-www-form-urlencoded';

let token = '';

axios.post(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`, qs.stringify(postData))
  .then(response => {
    console.log(response.data);
    token = response.data.access_token;
  })
  .catch(error => {
    console.log(error);
  });