Menu
We have a web site (built on a php framework) where we provide online educational tools for teachers/students. We have done an OAuth integration with google.com where users can 'sign up' and 'sign in' to our site using their google accounts (could be a personal gmail account, or a member of a google apps domain).
We are trying to do a similar integration with O365 where our website can ask O365 for user's email and first/last names so we can create an account for them on our site, and once the account is created, log them in. We have created an Application listing in Azure -> Active Directory, and have generated the client ID and secret, and plugged them into out PHP code. The OAuth workflow described here works up until the point where I try and request the access token using a POST request to https://login.windows.net/common/oauth2/token. It redirects back to my redirect_uri but instead of giving me the auth code, it gives me these params in the URL:
[error] => access_denied
[error_description] => AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: xxxxxx
Correlation ID: xxxxxx
Timestamp: 2014-09-29 06:28:25Z
[state] => xxxxxx
All I need is for O365 to give me the user's email and f/l names. Surely there's a quick fix for this that I am missing?
287
Azure Active Directory (Azure AD) supports all OAuth 2.0 flows.
An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as access_token in the responses from Azure AD B2C.
By default, a registered app is configured to request "Read the user's profile", which once consented to by the user, allows the app to get a user token (id token if using OpenID Connect) and read the signed in user's profile (including their mail address or addresses) when calling the Azure AD Graph API. Apps secured by Azure AD must currently configure the permission scopes they require up front (as part of the app registration experience, under the "Permissions to other applications" section). Here it looks like you've specified Outlook.com as the resource that you'd like a code and access token for, but your app is not configured to allow access to O365 Outlook.com/Exchange Online.
Please try setting the resource in your request to Azure AD - https://graph.windows.net/. That should work for you. You can then swap the code for an access token to call the Azure AD Graph API.
Hope this helps
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
