Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to specify Resource URI when acquiring access token for Azure AD V2 endpoint?

I have used ADAL.js in a previous project which supported only work accounts and am able to successfully acquire idtokens and then accesstokens to an API (ResourceURI: "https://myresource.com"). Works fine.

Now, I am trying to use MSAL.js for another project because there I need to support both work accounts (aad auth) and personal "Microsoft Accounts" (MSA). I am running into problems now trying to do the same thing as in my ADAL project.

The concept of "Resource" has seemingly vanished from AAD V2. So how does one specify the Resource url when acquiring an access token to the target API? So that the resulting accesstoken contains the ResourceURI in the AUD claim (which will be enforced by the API I am calling).

If I force add the Resource querystring parameter, thusly:

msalapp.acquireTokenSilent([], null, null, "resource=https%3A%2F%2Fmyresource.com")

I get the following error:

AADSTS901002: The 'resource' request parameter is not supported.

Documentation says to use SCOPE instead. But using:

msalapp.acquireTokenSilent(['https://myresource.com'])

results in:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://myresource.com openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>..

So: how do I specify the Resource URI when acquiring the access tokens when working with the v2 endpoint via MSAL.js? Sorry the (usually pretty good) MSDN articles are not useful at all in this case...

like image 843
Sat Thiru Avatar asked Nov 30 '18 06:11

Sat Thiru


People also ask

How do I get Azure resource URI?

To find the resource URI for a desired resource, one approach is to use the https://resources.azure.com tool. Simply browse to the desired resource and then look at the URI shown, as in the screenshot below.

What is Uri in Azure?

The application ID URI is a URI that uniquely identifies the application in your Azure Active Directory. The URI can be anything you want as long as it is unique to your directory and a valid URI. A subtle distinction between the sign-on URL and the application ID URI is the use of a URL for one and a URI for another.

How do you use managed identities for Azure resources on an Azure VM to acquire an access token?

Create a user-assigned managed identity. Assign your user-assigned identity to your Windows VM. Grant the user-assigned identity access to a Resource Group in Azure Resource Manager. Get an access token using the user-assigned identity and use it to call Azure Resource Manager.


1 Answers

In Azure AD v2.0 you need to use scopes, not resources.

If you have a resource, and want to get a token for all the permissions, you can use : https://myresource.com/.default.

You can also be more fine grain: more information is available from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal#scopes-for-a-v10-application (this is in C#, but the translation is straightforward)

like image 122
Jean-Marc Prieur Avatar answered Sep 25 '22 09:09

Jean-Marc Prieur