Jam between two errors in an Azure OAuth2 token request

Question

Jam between two errors in an Azure OAuth2 token request

I am implementing the OAuth2 provider for OWIN and Azure Active Director. FWIW, currently the OpenId Connect option does not meet the requirements for this work.

I get the auth code and return to my response url with the auth_code condition and request a token for the "scheme: //login.windows.net/ {myguid} / oauth2 / token.

// Build up the body for the token request var body = new List<KeyValuePair<string, string>>(); body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code")); body.Add(new KeyValuePair<string, string>("code", code)); body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri)); body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId)); body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret)); // Request the token HttpResponseMessage tokenResponse = await httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body)); string text = await tokenResponse.Content.ReadAsStringAsync(); tokenResponse.EnsureSuccessStatusCode();

I get this error:

 {"error":"invalid_resource","error_description":"AADSTS50001: Resource identifier is not provided. Trace ID: 227f2af8-0837-4f22-ac0f-a09b3f9a6d50 Correlation ID: 3d783f11-44d0-4efa-8831-3dd581d653ed Timestamp: 2014-08-08 21:59:49Z","error_codes":[50001],"timestamp":"2014-08-08 21:59:49Z","trace_id":"227f2af8-0837-4f22-ac0f-a09b3f9a6d50","correlation_id":"3d783f11-44d0-4efa-8831-3dd581d653ed"}

OK, I am adding a resource parameter:

  // Build up the body for the token request var body = new List<KeyValuePair<string, string>>(); body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code")); body.Add(new KeyValuePair<string, string>("code", code)); body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri)); body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId)); body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret)); body.Add(new KeyValuePair<string, string>("resource", "https://myappid")); {"error":"invalid_request","error_description":"AADSTS90027: The client 'xxxxx' and resource 'https://myappid' identify the same application. Trace ID: 6c77f123-d75f-43a9-8117-b3f372891ee4 Correlation ID: d9081f8b-b690-4478-bf15-55325a9736ec Timestamp: 2014-08-08 21:48:34Z","error_codes":[90027],"timestamp":"2014-08-08 21:48:34Z","trace_id":"6c77f123-d75f-43a9-8117-b3f372891ee4","correlation_id":"d9081f8b-b690-4478-bf15-55325a9736ec"}

therefore, I must have the correct application id associated with my client id. hrrmph! I am clearly doing something wrong, but just can't see it. Any suggestions?

+8

asp.net-identity asp.net-identity-2 azure-active-directory

Philip nelson Aug 08 '14 at 10:08

source share

3 answers

I had the same problem, I just wanted to implement a user login.

After trying 1000 things (with this message among others), I found out that I can use the identifier Microsoft.Azure.ActiveDirectory-id as a resource parameter. In this way, I do not need to create a second application.

http://blogs.msdn.com/b/besidethepoint/archive/2012/10/23/getting-started-with-azure-active-directory.aspx

 nameValuePairs.add(new BasicNameValuePair("resource", "00000002-0000-0000-c000-000000000000"));

and got a token

UPDATE:

azure support suggested me use https://graph.windows.net/ :

 nameValuePairs.add(new BasicNameValuePair("resource", "https://graph.windows.net/"));

+17

wutzebaer Jul 6 '15 at 12:11

source share

Using the "openid" scope in an authorization request should trigger an OpenID Connect stream that returns id_token and does not require a resource.

+7

gye 15 sept. '15 at 2:43

source share

Dushyant gill · Accepted Answer · 2014-08-08T23:55:04+0000

OAuth deals with 4 parties: 1) the owner of the aka user resource 2) the resource application: usually a web API that protects access to the resource owner by the user; 3) client application: a web application or a mobile application or even another web API that wants to access the resource on behalf of the user. 4) authority: a secure token service that authenticates the user and / or client application and issues a delegated access token to the client to access the resource.

Your code uses the same identifier for the client application, as well as the resource - in essence, it tries to request an access token to access it. It can be argued that this scenario must be resolved - but this is not Azure AD today.

Please do the following: register the resource application in Azure AD. In your manifest, add a new appPermission (follow this post ). Then go to the client application configuration page and scroll down - in the "Permissions for other applications" section, add the resource permission to the "delegated permissions" list of client applications.

Now use the AppIDURI or ClientID resource application in your OAuth request and everything should work.

Hope this helps.

Jam between two errors in an Azure OAuth2 token request

More articles: