I'm following this guide to authenticate with Microsoft Graph. I am able to successfully do the first request (for an authorization code) but am having issues with the second request (requesting an access token).
Params for the second request (for access token):
client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read
Error from second request:
{
"error": "invalid_resource",
"error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
"error_codes": [
50001
],
"timestamp": "2017-05-03 15:25:42Z",
"trace_id": <my trace id>,
"correlation_id": <my correlation id>
}
However, my request works fine (returns a bearer and refresh token) if I add this extra parameter:
resource: https://graph.microsoft.com/
I don't see this resource parameter mentioned anywhere in the docs except the example under Getting an access token on this page.
My questions are:
EDIT: See Marc's answer below and my comment response.
Turns out I was using the following URLs:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
when I should have been using:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
After using the ones with v2.0
, I didn't need to include my resource
parameter in the token request anymore.
An authorization server can also be the resource server. Access token. A string that represents authorization granted to the OAuth client by the resource owner. This string represents specific scopes and durations of access. It is granted by the resource owner and enforced by the OAuth server.
A resource server validates such a token by making a call to the authorisation server's introspection endpoint. The token encodes the entire authorisation in itself and is cryptographically protected against tampering. JSON Web Token (JWT) has become the defacto standard for self-contained tokens.
Contents. Data Parameter tokens provide a shortcut to a column of data in a data set (Figure 12.40). Figure 12.40 - Data Parameter Tokens. Data Parameter tokens are normally used for evaluating numeric data from a parameter in a custom token, for instance, the mean value of a particular parameter (Figure 12.41).
It looks like your providing the correct properties but not in the correct format. To get the token you need to issue a POST this data formatted for application/x-www-form-urlencoded
to https://login.microsoftonline.com/common/oauth2/v2.0/token
. From your example, it looks like your sending your data as JSON
rather than x-www-form-urlencoded
.
POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&client_secret=[PASSWORD]
&scope=[SCOPE]&redirect_uri=[REDIRECT URI]
I wrote up a Microsoft v2 Endpoint Primer a few months back that might help walk you through the procedure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With