I've been playing around with this and thought it would be worthwhile to document the journey.
I have a web application in Azure AD and this application calls a web API.
The web application has permission to call the web API.
I want to use the implicit grant.
This is not supported OOTB :
AADSTS70005: response_type 'token' is not supported for the application
You need to update the manifest as per ADAL JS - response_type=“token” is not supported.
After sorting that out, my first call was:
https://login.microsoftonline.com/[tenant id]/oauth2/authorize?client_id=[client id]&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
This resulted in:
http://localhost/myapp/#error=invalid_resource&error_description=AADSTS50001%3a+Resource+identifier+is+not+provided...
OK - so I need a "resource" parameter - let's make it the same as the response type.
https://login.microsoftonline.com/[tenant id]/oauth2/authorize?client_id=[client id]&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&resource=http%3A%2F%2Flocalhost%2Fmyapp%2F
This resulted in:
http://localhost/myapp/#error=invalid_resource&error_description=AADSTS50001%3a+The+application+named+http%3a%2f%2flocalhost%2fmyapp%2f+was+not+found+in+the+tenant+named+[tenant id]/++This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the
+tenant+or+consented+to+by+any+user+in+the+tenant.
++You+might+have+sent+your+authentication+request+to+the+wrong+tenant....
So maybe I need the "APP ID URI" of the web application?
https://login.microsoftonline.com/[tenant id]/oauth2/authorize?client_id=[client id]&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&resource=https://www.getpostman.com/oauth2/callback
This resulted in:
http://localhost/myapp/#error=invalid_request&error_description=AADSTS90027%3a+The+client+%[client id]%27+and+resource+%27https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback%27+identify+the+same+application...
Aha - so maybe I need the "APP ID URI" of the web API?
https://login.microsoftonline.com/[tenant id]/oauth2/authorize?client_id=[client id]&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&resource=https://xxx.onmicrosoft.com/xxxService
This resulted in:
http://localhost/myapp/#access_token=eyJ...Cpw&token_type=Bearer&expires_in=3599&session_state=6e7...203
Bingo!
I've obviously over-egged this a bit but you can see how you can work through the issues and figure out what's wrong based on the error messages.
The errors you get back from Azure AD are an order of magnitude better than they used to be :-)
Note that the implicit grant does not return a refresh token because the browser has no means of keeping it private.
Enjoy!
No comments:
Post a Comment