Menu
I have a WPF application that have to call an http-trigger function which is secured via Azure Active Directory. While trying to retrieve a bearer token for further calls I get following response (no matter if I do it via postman or code):
AADSTS90014: The required field 'scope' is missing
I read ton of different articles and blog posts explaining how to secure an http-trigger function with Azure AD and retrieve a bearer token via rest request. Following one of those articles which I thought fits best to my needs I created the full setup of azure function app, azure function, azure AD configuration and app registrations.
After that I just wanted to use the azure function by sending the bearer token and some other parameters and get the result but I got stuck in retrieving the bearer token.
Code (just in case):
var restClient = new RestClient("https://login.microsoftonline.com/{myTenant}/oauth2/v2.0/token");
var restRequest = new RestRequest(Method.POST);
restRequest.AddHeader("content-type", "application/x-www-form-urlencoded");
restRequest.AddParameter("grant_type", "client_credentials", ParameterType.GetOrPost);
restRequest.AddParameter("client_id", "{app id from azure ad app}", ParameterType.GetOrPost);
restRequest.AddParameter("client_secret", "{generated secret}", ParameterType.GetOrPost);
restRequest.AddParameter("ressource", "https://{somefunctionname}.azurewebsites.net", ParameterType.GetOrPost);
var restResponse = restClient.Execute(restRequest);
Postman body parameters (x-www-form-urlencoded):
grant_type = "client_credentials"
client_id = {app id from azure ad app}
client_secret = {generated secret}
ressource = "https://somefunctionname.azurewebsites.net"
and the Url I use to get the token:
https://login.microsoftonline.com/{myTenant}/oauth2/v2.0/token
So having a detailed look on the situation I have two major questions:
969
According to the information you provided, I think you want to use Azure AD v2.0 to access the function protected by Azure AD. If so, since you use Azure AD v2.0, you need to update resource to scope. And the vaule of scope should be ```{app id URI}/.default. For more details, please refer to OAuth 2.0 client credentials flow.
Regarding how to get the access token, please refer to the following steps.
Register a client to access web api
a. Register a new Azure AD application
b. configure permissions
c. Create a new secret
d. get the app id url
Code
var client = new RestClient("https://login.microsoftonline.com/<your tenant>/oauth2/v2.0/token");
var request = new RestRequest(Method.POST);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials", ParameterType.GetOrPost);
request.AddParameter("client_id", "your app id", ParameterType.GetOrPost);
request.AddParameter("client_secret", "your app secret", ParameterType.GetOrPost);
request.AddParameter("scope", "<your app id url>/.default", ParameterType.GetOrPost);
IRestResponse response = client.Execute(request);
Result:
193
As the above answer mentioned for azure AD v2 you dont get a token against a resource but a scope. Either change your authority to https://login.microsoftonline.com/{myTenant}/oauth2/token then you can use the v1 endpoint and can get the token against your resource
otherwise you either use the default scope as mentioned in the above answer or you can go the the azure portal and go to the app registration page and navigate to the Expose an API section and then check if any scope already exists you can use that, if not create one
Also make sure https://{somefunctionname}.azurewebsites.net is your app id URI
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
