1

I'm trying to get a specific user OAuth2 bearer token using HTTP POST request, and nothing seems to work. 

login_url = 'https://login.microsoftonline.com/'
authorize_endpoint = '{0}{1}{2}'.format(login_url,config.tenant_id,'/oauth2/authorize')

bodyvals = {'client_id': config.client_id,
            'client_secret': config.client_secret,
            'grant_type': 'client_credentials',
            'resource':config.resource_endpoint}

return requests.post(authorize_endpoint, data=bodyvals)

The above code works, but generates a token on behalf of the application.
I can't seem to find a way to pass in the users credentials, and no documentation on this whatsoever.

Generally I don't care if the answer is in Python or Powershell or just a general explanation, I just don't seem to understand how to properly do that with AAD.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141

2 Answers2

1

You can do it manually, see my other answer here: https://stackoverflow.com/a/40844983/1658906.

You must use grant_type=password and call the oauth2/token endpoint. Here is the C# version for authenticating:

private async Task<string> GetAccessToken()
{
    string tokenEndpointUri = Authority + "oauth2/token";

    var content = new FormUrlEncodedContent(new []
        {
            new KeyValuePair<string, string>("grant_type", "password"),
            new KeyValuePair<string, string>("username", Username),
            new KeyValuePair<string, string>("password", Password),
            new KeyValuePair<string, string>("client_id", ClientId),
            new KeyValuePair<string, string>("client_secret", ClientSecret),
            new KeyValuePair<string, string>("resource", PowerBiResourceUri)
        }
    );

    using (var client = new HttpClient())
    {
        HttpResponseMessage res = await client.PostAsync(tokenEndpointUri, content);

        string json = await res.Content.ReadAsStringAsync();

        AzureAdTokenResponse tokenRes = JsonConvert.DeserializeObject<AzureAdTokenResponse>(json);

        return tokenRes.AccessToken;
    }
}

In the request you must specify:

  1. Username
  2. Password
  3. Client ID
  4. Client secret
  5. The resource URI
Community
  • 1
  • 1
juunas
  • 54,244
  • 13
  • 113
  • 149
  • resource = graph.windows.net? – 4c74356b41 Dec 15 '16 at 08:11
  • hm, it appears to be more complicated than that, do you know how to get a response code? similar to what you get when you go to the similar URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=b4675331-58f1-4f5b-9867-e3ea0e76a4d4&redirect_uri=https%3A%2F%2Flocalhost%3A5555%2Flogin%2Fazure%2Fauthorized&scope=user.read&state=3OCHfg9MJagie0YIoXUsanC6ASJKbk – 4c74356b41 Dec 15 '16 at 09:04
  • The authorization code is not used in this flow. You get the access token directly. – juunas Dec 15 '16 at 09:05
  • yeah, that I've figured out, but how to mimic this flow with the code? well, without emulating the browser – 4c74356b41 Dec 15 '16 at 09:06
  • Why do you need to do that? Isn't it a lot harder with the same end result? :) – juunas Dec 15 '16 at 09:09
  • well, I have an app that does that, and for functional tests I need to auth against that app, and its using a custom package, so passing in a token just won't do, well, at least not without modifying the package, which might be the way to go, if I can't seem to figure this out – 4c74356b41 Dec 15 '16 at 09:22
  • In that case might be easier to use e.g. Selenium to automate a browser. I think this flow cannot give you the code. – juunas Dec 15 '16 at 09:25
  • do you have maybe some links that might confirm this idea that this cannot be achieved with code? – 4c74356b41 Dec 15 '16 at 09:38
  • I don't understand your situation, just reacting to "like a browser in a programmatic way", I got good result with CasperJS. – Laurent Mazuel Dec 16 '16 at 01:00
0

For GraphAPI, resource is "https://graph.windows.net/"

If you don't want to use ADAL, you might however take a look at the code for usage of "resource". This scenario is covered, so consider ADAL as a big sample :)

Also, msrestazure has a UserPassCredentials instance that works too on GraphAPI.

Laurent Mazuel
  • 3,422
  • 13
  • 27