Microsoft Oauth2 403 Forbidden

0
votes

I want to access any user's calendar in my Java application.

In https://portal.azure.com, I created an Azure Active Directory: aniketorg123

Then I created an app in it: aniketorgapp1

Following are the Redirect URIs that I added:

enter image description here

Then I added some permissions:

enter image description here

Now, in my application I send Oauth authorization request:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmsal4jsample%2Fsecure%2Faad&client_id=ca146462-8880-424c-b629-cc7c0d0fb1b3&scope=openid+offline_access+profile&prompt=select_account&state=69a2ac0f-abac-46ad-b525-88f0b70182b7&nonce=9278f424-6858-4e22-bb13-7b13894abda7

This loads the "Pick an account" page. When the user picks an account, I'm getting the following response:

403 Forbidden

Why could I be getting 403 forbidden?

2
javaazure-active-directorymicrosoft-graph-apimsalmicrosoft-identity-platform
This document may help in fixing the issueHari Krishna
@HariKrishna--MSFTIdentity Is Service Principal required for multi tenant?user5155835
@user515835, Yes Service Principal required for multi-tenant applicationsHari Krishna
@HariKrishna--MSFTIdentity I don't understand what I need to do. Do I have to Create a user of Type Service Principal? When I try to create a new user, I don't see any input for Typeuser5155835
This seemed to be an issue with the sample, which should be fixed now. You can also try changing response_mode=query in the authorization url and that should fix this problem.sgonzalez

2 Answers

1
votes

This seemed to be an issue with the sample, which should be fixed now. You can also try changing response_mode=query in the authorization url and that should fix this problem. This was caused by some of the samesite updates that browsers are making.

1
votes

If you get a 403 forbidden error, make sure that the correct service principal has been added to your publisher account in the Cloud Partner Portal. Follow the steps in the Prerequisites page to add your service principal to the portal.

If the correct service principal has been added, then verify all the other information. Pay close attention to the Object ID entered on the portal. There are two Object IDs in the Azure Active Directory app registration page, and you must use the local Object ID. You can find the correct value by going to the App registrations page for your app and clicking on the app name under Managed application in local directory. This takes you to the local properties for the app, where you can find the correct Object ID in the Properties page, as shown in the following figure. Also, ensure that you use the correct publisher ID when you add the service principal and make the API call.

Reference Document.