OAuth2 flow for obtaining token for microsoft graph access

1
votes

I am trying to call Microsoft Graph using a JWT bearer token to call https://graph.microsoft.com/v1.0/me

At first, I was using the Azure OAuth v1 endpoint but the JWT it returned did not have the correct audience so it wouldn't let me call Microsoft Graph. Now, using the v2 endpoint but I'm getting an error:

"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxx' named 'MyAppName'. 
Send an interactive authorization request for this user and resource.
Trace ID: xxxxx-xxxxx-xxxxxxx-xxxxxxxx
Correlation ID: xxxxx-xxxxx-xxxxxxx-xxxxxxxx
Timestamp: 2019-08-23 18:06:39Z"

I have set up the correct API permissions for my registered Application in AAD as best I can tell. enter image description here

I'm stuck here and can't even try to test with the JWT that gets returned from v2.

Any ideas here? All the google hits tell me I need to set up my API permissions which you can see in the screenshot, I've done.

Here is the URL I'm first going to obtain my code:

https://login.microsoftonline.com/xxxx-tentantidxxxx/oauth2/v2.0/authorize?client_id=xxxx-clientid-xxx&response_type=code&scope=https://graph.windows.net/directory.read.all%20https://graph.windows.net/user.read&redirect_uri=https://MyCoolsite.neat.com

2
azure-active-directorymicrosoft-graph-api
Could you tell me the tenant you use in the endpoint is the same as the tenant you register applicationuser10182254
You should URL-encode all the parameters in the authorize URL (scope and redirect URI). Also, for MS Graph API scopes, you can use the "short form": Directory.Read.All User.Read. The full URI should also work, but might require URL encoding. You can also try to use https://graph.microsoft.com/.default as scope, that will then use the permissions you have defined in the portal.juunas
Could you also show how you are exchanging the code for the token?juunas

2 Answers

2
votes

You're not conflating the legacy Azure AD Graph API (graph.windows.net) with Microsoft Graph (graph.microsoft.com). These are two different API with their own endpoints and permission scopes.

You'll want to use Microsoft Graph for this which means you'll need to request Microsoft Graph Scopes. In this case the only scope you need it User.Read Using Directory.Read.All would require Admin Consent which adds some unnecessary complexity you don't need at this point.

The URL you're using can also be simplified (you don't need to specify the tenant):

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

For your query params, you'll want 

?client_id={clientId}&response_type=code&scope=User.Read&redirect_uri=https://redirect.url

If you want to use the scopes specified in your registration rather than requesting them dynamically, you can drop User.Read and use https://graph.microsoft.com/.default instead.

If you'd rather use the v1 endpoint, simply drop scope altogether and replace it with the resource (audience) you want to talk to. In your case, this is resource=https://graph.microsoft.com.

Keep in mind that you do need to URL Encode the values you're passing in:

?client_id={clientId}&response_type=code&scope=User.Read&redirect_uri=https%3A%2F%2Fredirect.url%0A
0
votes

From what I see you have to use application permission as your current setup requires interactive session. Here are guidance how to setup application permission

https://github.com/ivfranji/GraphManagedApi/wiki/Registering-Microsoft-Graph-App