Menu
I am implementing an OAuth2 provider for OWIN and Azure Active Director. FWIW, at this time the OpenId Connect option doesn't fit the requirements for this work.
I get an auth code, and returned to my reply url with the auth_code, state, and make the request for a token to "scheme://login.windows.net/{myguid}/oauth2/token.
// Build up the body for the token request
var body = new List<KeyValuePair<string, string>>();
body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
body.Add(new KeyValuePair<string, string>("code", code));
body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));
// Request the token
HttpResponseMessage tokenResponse =
await httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
string text = await tokenResponse.Content.ReadAsStringAsync();
tokenResponse.EnsureSuccessStatusCode();
I get this error:
{"error":"invalid_resource","error_description":"AADSTS50001: Resource identifier is not provided.
Trace ID: 227f2af8-0837-4f22-ac0f-a09b3f9a6d50
Correlation ID: 3d783f11-44d0-4efa-8831-3dd581d653ed
Timestamp: 2014-08-08 21:59:49Z","error_codes":[50001],"timestamp":"2014-08-08 21:59:49Z","trace_id":"227f2af8-0837-4f22-ac0f-a09b3f9a6d50","correlation_id":"3d783f11-44d0-4efa-8831-3dd581d653ed"}
OK, I add the resource option:
// Build up the body for the token request
var body = new List<KeyValuePair<string, string>>();
body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
body.Add(new KeyValuePair<string, string>("code", code));
body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));
body.Add(new KeyValuePair<string, string>("resource", "https://myappid"));
{"error":"invalid_request","error_description":"AADSTS90027: The client 'xxxxx' and resource 'https://myappid' identify the same application.
Trace ID: 6c77f123-d75f-43a9-8117-b3f372891ee4
Correlation ID: d9081f8b-b690-4478-bf15-55325a9736ec
Timestamp: 2014-08-08 21:48:34Z","error_codes":[90027],"timestamp":"2014-08-08 21:48:34Z","trace_id":"6c77f123-d75f-43a9-8117-b3f372891ee4","correlation_id":"d9081f8b-b690-4478-bf15-55325a9736ec"}
so I must have the correct app id associated with my client id. hrrmph! I am clearly doing something wrong but just can't seem to see it. Any suggestions?
555
To validate the authenticity of the JWT token's data is by using Azure AD's public key to verify the signature. https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the private key generated by Azure AD token.
You can also use the What If tool to troubleshoot Conditional Access policies. If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the specific event you're concerned about.
The default lifetime of the token is 1 hour.
I had the same problem, i just wanted to implement a user-login.
After trying 1000 things (with this post amongst others) i found out that i can use the Microsoft.Azure.ActiveDirectory-id as resource paramter. On this way i don't have to create an second app.
http://blogs.msdn.com/b/besidethepoint/archive/2012/10/23/getting-started-with-azure-active-directory.aspx
nameValuePairs.add(new BasicNameValuePair("resource", "00000002-0000-0000-c000-000000000000"));
and got the token
UPDATE:
the azure support suggested me to use https://graph.windows.net/ :
nameValuePairs.add(new BasicNameValuePair("resource", "https://graph.windows.net/"));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
