I am using InstaSharp in a WPF application. I have read the documentation of InstaSharp. And here is the code I tried.
InstagramConfig config = new InstagramConfig(clientId, clientSecret, redirectUri, realtimeUri);
var oAuth = new OAuth(config);
var scopes = new List<OAuth.Scope>();
var link = InstaSharp.OAuth.AuthLink(config.OAuthUri + "authorize", config.ClientId, config.RedirectUri, scopes, InstaSharp.OAuth.ResponseType.Code);
var authInfo = await oAuth.RequestToken(clientId);
Now the problem is that I am getting authInfo as null. Which means I am getting the accesstoken as null. When I copy paste the link(generated by above code) in the browser, it asks me for authorization and generates an access token but I can not get it programmatically with the above code.
Can someone please help me get the access token ?
Related
I'm trying to get an accesstoken from a InteractiveBrowserCredential so I can make calls to the Azure Datalake, but when I try to do this I get this error message:
System.Net.Http.HttpRequestException: 'Response status code does not
indicate success: 403 (Server failed to authenticate the request. Make
sure the value of Authorization header is formed correctly including
the signature.).'
Below is my code, I sspect it might be the scopes I request but I have tried every value I could find online (https://storage.azure.com/user_impersonation, https://storage.azure.com/.default).
// setup authentication
var tenantId = "common";
var clientId = "xxx";
var options = new InteractiveBrowserCredentialOptions {
TenantId = tenantId,
ClientId = clientId,
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
RedirectUri = new Uri("http://localhost"),
};
// authenticate and request accesstoken
var interactiveCredential = new InteractiveBrowserCredential(options);
var token = interactiveCredential.GetToken(new TokenRequestContext(new[] { "https://storage.azure.com/.default" }));
// Create HttpClient
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token); ;
string res = await client.GetStringAsync("https://xx.blob.core.windows.net/?comp=list"); // this line throws the error
textBox1.Text = res;
If I use the SDK it does work, so it does not appear to be security settings.
// connect to Azure Data Lake (this works fine)
string accountName = "xxx";
string dfsUri = "https://" + accountName + ".dfs.core.windows.net";
var dataLakeServiceClient = new DataLakeServiceClient(new Uri(dfsUri), interactiveCredential);
// get filesystems
var systems = dataLakeServiceClient.GetFileSystems().ToList();// works fine
The error "403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signatureerror" usually occurs if you have not x-ms-version header in your code.
I agree with Gaurav Mantri, To resolve the error make sure to pass header value.
I tried to reproduce the same in my environment and got the same error as below in Postman:
I generated the access token by using the below Parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type:authorization_code
client_id:4b08ee93-f4c8-47e9-bb1e-XXXXXXX
client_secret:client_secret
scope:https://storage.azure.com/user_impersonation
redirect_uri:https://jwt.ms
code: code
When I included x-ms-version=2019-02-02, I am able to access the storage account successfully like below:
The x-ms-version header value must be in the format YYYY-MM-DD.
In your code, you can include the header below samples:
Client.DefaultRequestHeaders.Add("x-ms-version", "2019-02-02");
request.Headers.Add("x-ms-version", "2019-02-02");
Reference:
Versioning for the Azure Storage services | Microsoft Learn
Using Microsoft.IdentityModel.Clients.ActiveDirectory(2.22.302111727) I am trying to get the access token and the refresh token via ADAL AcquireToken(resourceUri, new ClientCredential(clientId,clientSecret) but I am able to get the only access token only but when I am using the same app with AcquireToken(resourceUri, clientId, userCredential) and passing the username and password as the userCredentials then I am able to get both the access as well as refresh token.
string resourceUri = "https://graph.microsoft.com";
string clientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
string clientSecret = "xxxxxxxxxxxxxxxxxxxxxxxx";
AuthenticationResult token = authContext.AcquireToken(resourceUri, new
ClientCredential(clientId,clientSecret));
string resourceUri = "https://graph.microsoft.com";
string clientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
string clientSecret = "xxxxxxxxxxxxxxxxxxxxxxxx";
AuthenticationResult token = authContext.AcquireToken(resourceUri, new
ClientCredential(clientId,clientSecret));
I have also tried using AcquireToken(clientId, resourceUri, new Uri(redirectUri)) but it gives me error "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'" and I have tried AcquireToken(resourceUri, clientId, new Uri(redirectUri),
PromptBehavior.RefreshSession ,new UserIdentifier("xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx", UserIdentifierType.UniqueId)) and it gives me error "AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 00000003-0000-0000-c000-000000000000(Microsoft Graph)."
Please explain the exact resource value that is missing here in error AADSTS650057.
You may be hitting several different error. OAuth2 client credentials grant does not return refresh tokens (enter link description here ) as you can get a new token with the existing credentials. Requests involving user credentials do return refresh tokens as you may want to renew the access token without having to prompt the user for credentials.
AADSTS650057 is most likely caused by your application being registered in AAD without having permission to call MS Graph. An application must have either Application Permission (when using Client Credentials) or Delegated Permission (when using user creds) to get a token to this resource.
1.Install this from nuget package
using Microsoft.Identity.Client;
2. add this code
string clientId = "Get it from Admin"
string clientSecret = "Get it from Admin"
string authorityUrl = "Get it from Admin"
string authorityId = "Get it from Admin";
string authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}", authorityId);
var app = ConfidentialClientApplicationBuilder.Create(clientId).WithAuthority(authority).WithClientSecret(clientSecret).Build();
var authResult = Task.Run(() => app.AcquireTokenForClient(new[] { $"{apiEndpointUrl}/.default" }).ExecuteAsync()).Result;
return authResult.AccessToken;
I am trying to write a simple console app which will authenticate using OAUTH against Azure Graph without the need for username/password, but I'm receiving a 403 error when executing the WebClient.DownloadString method. Any help would be greatly appreciated.
static void Main(string[] args)
{
// Constants
var tenant = "mytenant.onmicrosoft.com";
var resource = "https://graph.microsoft.com/";
var clientID = "blah-blah-blah-blah-blah";
var secret = "blahblahblahblahblahblah";
// Ceremony
var authority = $"https://login.microsoftonline.com/{tenant}";
var authContext = new AuthenticationContext(authority);
var credentials = new ClientCredential(clientID, secret);
// Obtain Token
var authResult = authContext.AcquireToken(resource, credentials);
WebClient webClient1 = new WebClient();
webClient1.Headers[HttpRequestHeader.Authorization] = "Bearer " + authResult.AccessToken;
webClient1.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
webClient1.Headers[HttpRequestHeader.Accept] = "application/json";
string payload = webClient1.DownloadString("https://graph.microsoft.com/v1.0/users?$Select=givenName,surname");
}
}
This has now been resolved. The code above was correct, but there was a step I was missing, which is to configure the ServicePrincipal in Azure:-
Login with a Global Admin using the command Connect-Msolservice
Retrieve the ObjectID of the Service Principal > Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID
Assign the role using > Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘Company Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID
The following links were also very useful:-
https://developer.microsoft.com/en-us/graph/docs/concepts/overview (Click the arrow in the top left to show the full list and then scroll down to the appropriate operation)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-error-codes-and-error-handling
I have a multi-tenant AAD app in tenant A that accepts tokens issued by tenant B to authenticate its users. The permissions that the app requests are set to the default lowest level - read basic user's profile.
When the user (non-admin) from tenant B logs in, I see the claims, and I've configured the app to send user's group in claims as well. Inside of the group claim, instead of the groups list I am seeing "src1" reference, implying that the user is a member of over 200 groups and that I need to query that URI to get the list of those groups.
When I query that URI, however, I get back an "Insufficient privileges" error. I'm actually able to query "/me" URI just fine for the user and see his direct manager and even the office location, but I'm not able to see his or her security groups.
Are the group claims included in what I'm allowed to read when the user consented to be authenticated by my app, or it's something only an admin can consent to? If I am indeed supposed to see them, what is the right way to access them given the overage claim URI?
Thanks in advance!
UPDATE:
More info about the code:
I was using a book (not a specific tutorial), and my code lives in AuthorizationCodeReceived notification body, and looks like this:
var ClientId = "...";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/common";
var appKey = "...";
var resourceId = "https://graph.windows.net";
var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceId);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
var p = new { securityEnabledOnly = true };
string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = httpClient.PostAsync("<the src1 url>", new StringContent(postBody, System.Text.Encoding.UTF8, "application/json")).Result;
So I think I can answer my own question. It turns out that User.Read includes only the "Declared" properties of the User entity, while the group membership is a Navigation property.
To get access to the group, I need to request Group.Read.All permission, which requires Admin consent.
Here is the documentation on permission:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
And here is the description of entities:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#userentity
It's all in the docs, just need to be very attentive to details when reading.
Add:I run your code without error, make sure your web app has permission to access Graph Api. Below is the code, I simplify someplace.
var ClientId = "***";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/tenantid";
var appKey = "k***";
var resourceId = "https://graph.windows.net";
// var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireToken(resourceId,credential);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
// var p = new { securityEnabledOnly = true };
// string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var result1 = httpClient.GetAsync("https://graph.windows.net/tenantid/users?api-version=1.6").Result;
var jsonresult=result1.Content.ReadAsStringAsync().Result;
I've got a Generated access token from DropBox ".....fquCiA_pW5SsJal2C.......".
I'm using the following code to upload a file-
static void Main()
{
// Uncomment the following line or manually provide a valid token so that you
// don't have to go through the authorization process each time.
//var accessToken = GetAccessToken();
// var accessToken = new OAuthToken("token", "secret");
var api = new DropboxApi(ConsumerKey, ConsumerSecret, accessToken);
var file = api.UploadFile("dropbox", #"myFolder\b.jpg", #"b.jpg");
Console.WriteLine(string.Format("{0} uploaded.", file.Path));
}
There is an instruction in the code that I can use a token. So, I have used-
var accessToken = "...lkasjdfsdlfjsadlj...";
But it shows invalid argument error. Where shall I use that key?
Please help?
I've taken the code from here