Azure Active Directory - Get Authorization for Access Token

0
votes

I'm following https://docs.microsoft.com/en-gb/graph/auth-v2-user in the hope of calling Microsoft Graph Api from my web app. On section 2 of the article it explains how to get the auth code which is required for making the request to get the access token ...

Can someone please advise where I get the 'code' from as part of the request in part 2? I was expecting this to be returned in the redirect URL as a query string param, but this is not the case.

Thanks,

Edit

I have opted against using MSAL becuase of the bugs I have encountered when using the library. Instead my configartion is the following;

Startup.cs

         JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

        var serviceProvider = services.BuildServiceProvider();
        var userAuthenticationTicketRepository = serviceProvider.GetService<IUserAuthenticationTicketRepositoryWrapper>();
        var configSettings = serviceProvider.GetService<IConfigSettings>();

        services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddAzureAd(options => configuration.Bind("Config:AzureAd", options))
            .AddCookie(options =>
            {
                options.SessionStore =
                    new AuthenticationTicketStore(userAuthenticationTicketRepository, configSettings);
            });

Implementation of AddAzureAd

 public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builder, Action<AzureADOptions> configureOptions)
    {
        builder.Services.Configure(configureOptions);
        builder.Services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOidcOptions>();

        builder.AddOpenIdConnect(options =>
        {
            options.Events = new OpenIdConnectEvents
            {
                OnRemoteFailure = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("Account/AccessDenied");

                    return Task.FromResult(0);
                }
            };

        });

        return builder;
    }

ConfigureOidcOptions

 public class ConfigureOidcOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
    private readonly AzureADOptions _azureOptions;

    public ConfigureOidcOptions(IOptions<AzureADOptions> azureOptions)
    {
        _azureOptions = azureOptions.Value;
    }

    public void Configure(string name, OpenIdConnectOptions options)
    {
        options.ClientId = _azureOptions.ClientId;
        options.ClientSecret = _azureOptions.ClientSecret;
        options.Authority = new Uri(new Uri(_azureOptions.Instance), _azureOptions.TenantId).ToString();
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.CallbackPath = _azureOptions.CallbackPath;
        options.UseTokenLifetime = true;
    }

    public void Configure(OpenIdConnectOptions options)
    {
        Configure(Options.DefaultName, options);
    }
}
1
oauth-2.0azure-active-directoryauthorization
Yes, you should get the code as a query param of the redirect URL. If you are not getting it, you should get an error parameter. Anyway, it would be good to post your auth request and the response URL you are getting. - Ján Halaša
Am I right thinking the 'authorization' step is when I am prompted to sign into my web app. I'm not getting the 'code' param, but I'm also not getting an error. How can I post my auth request? - japes Sophey
Edit the question and add your auth request URL and a response URL (you can mask client_id param value if you don't want to make it public). By the authorization step, they probably mean that the client (your application) gets authorized by a user (resource owner) to use the resource (MS Graph API) on the user's behalf - OAuth2 is an access delegation protocol. - Ján Halaša

1 Answers

1
votes

The Authorization request should be 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=offline_access user.read mail.read
&state=12345

Replace the tenant and client_id with your value. And the redirect_uri should be consistent with the one in the portal.

enter image description here

When you request the url in the browser, you will be asked for logging in. After that, you will get the code parameter in the url.

enter image description here