Reputation: 319
Using client credential flow on Graph api returns an access_token without scopes
Here is what my goal is: I would like to get an access_token from within my api. Currently I am trying to get the access token using the client credentials flow:
And I successfully get a response:
But this response does nothing because when I use the access_token as authorization parameter in a GraphApi endpoint I get an error response saying I am missing scp or roles parameters. I have roles defined and approved from an administrator from the application. What could be the problem?
Here is the decoded jwt access_token:
{
"aud": "a********************ed5",
"iss": "https://sts.windows.net/**********4f-d6b581dd3836/",
"iat": 1660825101,
"nbf": 1660825101,
"exp": 1660829001,
"aio": "E2ZgYPits***********g8R9TAA==",
"appid": "eabbd3*************da6990ed5",
"appidacr": "1",
"idp": "https://sts.windows.net/5a8f9d89-81da-4218-884f-d6b581dd3836/",
"oid": "77e***************8085325",
"rh": "0.AYEAiZ2PWtqBGEKIT9a1gd04NuDTu-rpzyZCiMRhXaaZDtWBAAA.",
"sub": "77e4***************48085325",
"tid": "5a8f9d89-8*****************581dd3836",
"uti": "nl-kk3T*******w2ePAA",
"ver": "1.0"
}
Upvotes: 0
Views: 2260
Answers (1)
Reputation: 22242
I tried to reproduce the same in my environment and got the below results:
I created one App Role named DemoRole for my Azure AD application like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> App Roles
I assigned that DemoRole to few users like below:
Go to Azure -> Azure Active Directory -> Enterprise Applications -> Your App -> Users and groups
Now, I generated access token with parameters like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id = xxxx-xxxx-xxxx
grant_type = client_credentials
client_secret = ***************
scope = api://xxxxxxx.xxxx.com/.default
Response:
When I decoded the token, I'm also unable to get the roles like below:
To get roles claim in decoded token, make sure to add your custom API permissions and grant admin consent like below:
Go to your Application -> API permissions -> Add a permission -> My APIs -> Your App Name -> Application Permissions
After granting the admin consent, I generated the access token again and got the roles claim in the decoded token like below:
Upvotes: 1
Related Questions
- Cant request OAuth2 token for specific scope with Azure AD and Client Credentials flow
- "User not found" for Graph API request in the Azure enterprise app security group with client credentials auth flow
- Scopes Not Returned w/ Client Credential Flow
- Cannot request custom scope from Graph API with clientCredential flow
- Microsoft OAuth 2.0 Client Credentials - Unable to retrieve permission to scope even with Granted Admin Consent on Azure
- Client credential Oauth flow - Azure B2C
- Microsoft Graph API - Client Credentials Grant Flow
- Client Credentials access token not working office 365
- Call Microsoft Graph API Using Azure AD 1.0 Endpoint Client Credentials Flow
- Trouble with authorization using client_credentials Azure AD Graph API