CODEWITHSUNDEEP
powershellauthenticationoauth-2.0bearer-tokenpkce
s0Nic
s0Nic

Reputation: 97

Microsoft identity platform and OAuth 2.0 authorization

I am attempting to authenticate with an API using OAuth 2.0 in order to generate a bearer token that will allow me to execute API calls. This has to be done in PowerShell.

Status quo:

To execute an API call i currently have to use the Swagger authorization (picture below)

Swagger Auth

I select the scope via checkbox and click on authorize.

Result:

Swagger Auth successful (step 1)

Now i am able to generate a bearer token via Swagger API call. With this token i can execute all the neccessary actions.

I dont want to create a bearer token manually every time and copy this token into a PS script. With this script all the API calls are executed.

This is working perfectly with the bearer token copied from the action above.

Reached so far:

I got all information for the API like client_id, tenantID, client_secret, scope, redirect_url, ...

With the information i generated a bearer token with PS.

Script:

Connect-AzAccount 

# Collect all tenant
$allTenants = Get-AzTenant

# Filter for right tenant
$targetTenant = $allTenants | Where-Object { $_.Name -eq "XXX" }

# Check if tenant has been found
if ($targetTenant -ne $null) {
    $tenantName = $targetTenant.Name
    $tenantId = $targetTenant.Id
    #Write-Output "Der Tenant mit dem Namen '$tenantName' hat die ID '$tenantId'."
} else {
    #Write-Output "Der Tenant mit dem Namen 'XXX' wurde nicht gefunden."
}

$TokenEndpoint = "https://login.microsoftonline.com/"+$tenantId+"/oauth2/v2.0/token"

$BodyBearer = @{
    grant_type="client_credentials"
    client_id="XXX..."
    client_secret="XXX..."
    scope="api://XXX.../.default"
}

$TokenResponse = Invoke-RestMethod -Uri $TokenEndpoint -Body $BodyBearer -Method Post 
$token = $TokenResponse.access_token

This is working an i get the bearer token.

The issue arises when I use this token in a call; the error returned is: "Not authenticated!"

I have researched various methods of authentication, such as using an auth_code (PKCE) with user_credentials, among others.

I assume that I have to complete this in two steps.:

  1. Authenticate (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize)
  2. create bearer (https://login.microsoftonline.com/"+$tenantId+"/oauth2/v2.0/token)

First i tried it with auth_code via link:

"https://login.microsoftonline.com/mytenant_id/oauth2/v2.0/authorize? response_type=code& client_id=XXX& redirect_uri=http://localhost:5000/docs/oauth2-redirect& scope=api://XXX/XXX& code_challenge=XXX& code_challenge_method=S256"

We got a code back:

0.ATsAD_kXDqOIk0-l18yEfP8wfhy2yu-....

I attempted the method using this code:

$Body = @{
    # Telling Azure AD that we're using the auth code flow
    grant_type   = 'authorization_code'
    client_id="XXX..."
    client_secret="XXX..."
    scope="api://XXX.../.default"
    # The code from the browser from the previous step
    code         = '0.ATs....'
    code_verifier = "XXX...." #generated from code_challange
}
    try {
        $antwort = Invoke-RestMethod 'https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token' -Method POST -Body $Body -ContenType 'application/x-www-form-urlencoded'
        
    } catch {
        $textBoxOutput = "Error during API request: $_"
    }

errormessage:

Error during API request: {"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.

Took out the client_secret.. got another errormessage:

Error during API request: {"error":"invalid_request","error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

I've been attempting to resolve the issue but haven't found a solution yet.

In sheer desperation, I also tried different authentication methods, but as expected due to the Swagger note "auth method = Auth_code with PKCE," there were no results.

I've been working on this problem for days; what am I doing incorrectly? Could someone please assist me with this issue?

Thank you in advance.

Upvotes: 0

Views: 403

Answers (2)

Sadri Stojkaj
Sadri Stojkaj

Reputation: 1

You forgot the header and the origin: $headers = @{ "Origin" = $origin }

Upvotes: 0

s0Nic
s0Nic

Reputation: 97

Ok... figured out that my API was configured as SPA (Single-Page Application) in azure. (The errormessage ...)

Reconfigured to "Web" everything is working find.

thanks anyway :D

Upvotes: 0

Related Questions