4

I was able to setup adal4j and a service-to-service OAuth authentication and successfully retrieve an access token using the access token authority uri https://login.windows.net/$tenantId/oauth2/token.

Here's what the acquire token process looks like:

val context = new AuthenticationContext("https://login.windows.net/$tenantId/oauth2/token", true, Executor)
val creds = new ClientCredential("CLIENT_ID", "CLIENT_SECRET")
val result = context.acquireToken("https://SANDBOX.crm.dynamics.com", creds, null).get()
result.getAccessToken

The token is in the format stuff.stuff.stuff.

I found the tenant id (a guid apparently) using this url: https://login.windows.net/ORG.onmicrosoft.com/.well-known/openid-configuration

Now I'm having trouble using that token with the OData endpoint.

Request:

curl --head -X GET https://SANDBOX.crm.dynamics.com/XRMServices/2011/OrganizationData.svc/AccountSet -H 'Authorization: Bearer ACCESSTOKEN' -H 'Accept: application/json' -H 'DataServiceVersion: 3.0'

Response:

HTTP/1.1 302 Found
Location: https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2fdynamicscrmna.accesscontrol.windows.net%2f&wctx=pr%3dwsfederation%26rm%3dhttps%253a%252f%252fSANDBOX.crm.dynamics.com%252f%26ry%3dhttps%253a%252f%252fSANDBOX.crm.dynamics.com%252fXRMServices%252f2011%252fOrganizationData.svc%252fAccountSet&wct=2015-05-07T16%3a00%3a47Z&wreply=https%3a%2f%2fdynamicscrmna.accesscontrol.windows.net%2fv2%2fwsfederation&Popupui=1
WWW-Authenticate: Bearer error=invalid_token, error_description=Error during token validation!, redirect_uri=https%3a%2f%2flogin.windows.net%2fcommon%2fwsfed, realm=Microsoft.CRM

My token is apparently invalid, but what this possibly mean? Can I be using the wrong tenant ID? Is OAuth access disabled or not configured for the OData endpoint? Is it a sandbox issue?

I don't have admin access on that instance and can't investigate much more than that.

David Thomas
  • 249,100
  • 51
  • 377
  • 410
jpmelanson
  • 595
  • 4
  • 10
  • When you requested the token, what `resource` did you specify? – Philippe Signoret May 07 '15 at 17:07
  • 1
    Also, note that you can use the tenant domain name directly instead of the Guid tenant ID. :) – Philippe Signoret May 07 '15 at 17:09
  • @PhilippeSignoret I specify the root url as the resource `https://SANDBOX.crm.dynamics.com`. Using the domain name directly didn't work and that is the reason behind using the GUID. `AADSTS90002: No service namespace named`. – jpmelanson May 07 '15 at 17:39
  • Can you include what your token request looks like? (Remove the sensitive stuff.) – Philippe Signoret May 07 '15 at 23:41
  • I just added the code part that is about acquiring the access token. – jpmelanson May 08 '15 at 15:08
  • I used the website http://jwt.calebb.net/ to decode the token and I can see the resource url is what I provided. I also see a https://sts.windows.net address. As the organization is using office 365, I wonder if it's not an integration issue between multiple cloud platforms? – jpmelanson May 08 '15 at 16:55
  • I edited the tags to this question to remove the [tag:microsoft] tag, which should not be used, as stated in the tag wiki (though its continued existence is problematic in itself); this is further to the Meta question asked here: http://meta.stackoverflow.com/q/293754/82548. – David Thomas May 09 '15 at 13:16

0 Answers0