1

I've the following auth code copied from the browser for a user who granted our app to use their Office 365 email. 

code=OAQABAAIAAADRNYRQ3dhRSrm-4K-adpCJ3J3UJ8GyC2qJDvNhlrUAObjph6sQ3A9waeQ5Tr-DA6WzxCdFbvadCRJw2S4a_lwA7MyelZWAPQZOlaB_X_1165CbmTXJMGioU6Cr0DhVTUzIlUv_-Svjp8DBrLVCxcDp5rJMM5mDNR0iGysuDIozWnOaPqCOl35NxPzyktrYK6D1MBptmXOPbhS-stTZXbHJr9gGE3FHzMU0XANXmTm30q4SPaoWPch-S1uFFL4xwS2oUv-lELBdcfIGh5UJBSraabGihVWUnbwBhh8eURSMRwryi7kubUcq0D27S-vIVZhtKopemQ1njAcExO58S7EgAyqbIzMxvmBXBe0X1ieVrcyHYRpt4ZAq1Z4v5HLTrYhx5fGp6AkqhV09yri3bqXaZvw5R1hKuhAbRDt_isZn_L8ZEhfwnqICGUwpDU27c6Qd1txuiOVY90a4BiAUh1M1u5gjDx8nIE88R7S915w7mUjJtCzZuTKQavve8q8UOtm9udUvBOX1f-bYslpgiIRbdSYBYlP9UrbreLS1W6OFk2NX-uqp9mabyImvvj1RUm166qV6uc9hsuhzrfErDURC17JotuQBSWYauAvb38p5B-cDbsCZafpyORlbrWsYyQcdWwUPL0aOZEQXFW-v3gDw7Xri_9hvsiHrj10NTaaozqm1QpZmMf-SHJ0yF9wBWKYgAA

Application works without a problem if we are using Microsoft Graph REST API v1 but the following problem happens when using version 2. It is registered with delegate permissions that grants us Read, Write/Send permission which work fine with V1 of the application.

For V2: authority =https://login.microsoftonline.com/common/oauth2/v2.0/token and to retrive auth code I use the following url

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=30..7&response_type=code&scope=mail.read&redirect_uri=https://myurl:8443/controller/saveToken

Code block causing the issue:

 @Override
    public AuthenticationResult getToken(String authCode) {

        ExecutorService service = Executors.newFixedThreadPool(1);
        OfficeCredentials credentials = getCredentials();

        try {
            AuthenticationContext context = new AuthenticationContext(credentials.getAuthority(), true, service);
            final Future<AuthenticationResult> resultFuture = context.acquireTokenByAuthorizationCode(
                    authCode, new URI(credentials.getRedirectUri()), new ClientCredential(credentials.getClientId(),
                            credentials.getClientSecret()), credentials.getResourceUrl(), null);

            return resultFuture.get();//throws exception

        } catch (URISyntaxException e) {
            logger.error(e.getMessage());
        } catch (MalformedURLException e) {
            logger.error(e.getMessage());
        } catch (Exception e) {
            logger.error(e.getMessage());

        }

        return null;

    }

Exception when resultFuture.get() is called

java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid.\r\nTrace ID: c37b4aba-c5fb-44f3-815c-dd798072095d\r\nCorrelation ID: e190ccd2-f98a-440c-8e79-69cfcead3c04\r\nTimestamp: 2017-02-06 17:53:30Z","error":"invalid_grant"}

I don't know what I am doing wrong as I am trying to migrate to v2. redirect_uri is same as defined in azure and it is HTTPS. I already made my local env't accept HTTPS by following this. FYI: I am using adal4 java library.

WowBow
  • 7,137
  • 17
  • 65
  • 103
  • Did you register a new V2 application for use on the V2 endpoint? To my knowledge, you cannot use the same app on the V1 and V2 endpoint. – Shawn Tabrizi Feb 06 '17 at 21:35
  • @ShawnTabrizi I created a new app for that purpose but where do you tell the app you are working with is v2 or not ? – WowBow Feb 06 '17 at 21:36
  • 1
    You can only register V2 applications using the App Registration Portal as noted [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-flows). You will see them under the application section called "Converged Applications" versus "Live SDK Applications", which are MSA specific apps, or "Azure AD only applications" which are V1 apps. – Shawn Tabrizi Feb 06 '17 at 21:41
  • Yes, that's what I did. – WowBow Feb 06 '17 at 21:54
  • I repeated the same procedure with a new app. No luck at all. It's just frustrating. – WowBow Feb 06 '17 at 22:32

1 Answers1

2

At present, the adal4j library doesn't support the Azure AD v2.0 endpoint(refer here). Event we set the authority for the v2.0 endpoint, it still use the old one.

As a workaround, you may compose the HTTP request directly. Here is the sample request for your reference( refer here):

POST: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

client_id={clientId}&client_secret={clientSecret}&scope={scope}&code={authorizationCode}&grant_type=authorization_code&redirect_uri={redirectUri}

And if you want the adal4j library to support Azure AD v2.0 endpoint, you can submit the feedback from here.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • This works great but only brings back access token but no refresh token. Where do I get that info ? – WowBow Feb 07 '17 at 20:57
  • 1
    @WowBow you need the offline_access scope to get a refresh token back. – Daniel Dobalian Feb 07 '17 at 22:36
  • Another problem now: I used the following command to get emails for a user who subscribed for v2 "curl -i https://graph.microsoft.com/v2.0/me/messages -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Bearer token..." Now this replies back with invalid version. All the examples on Microsoft site use https://outlook.office.com/v2.0/me/messages so I gave this one a try and I reicieved a message saying we cant display this content. I am a bit lost on what to do on this. – WowBow Feb 08 '17 at 00:43
  • the url containes https even if SO removed it from the comment. – WowBow Feb 08 '17 at 00:44
  • More details on the user: User has Azure AD account on office.com so its a company email address.. I used the same email to register the app as well. So this user is not an out look user but same user which exists in the same AD. – WowBow Feb 08 '17 at 00:46
  • Second issue: for another email which is out of the same AD, I recieved the following auth code "M318eb27d-ef61-dea3-47a2-58e00dd5ab8b" which is somehow shorter than what I used to see... and I couldn't get access token for this person (returns BAD request). I could ask on a new thread but I just get frustrated for asking questions for every single issues as there is no reference I could look in to. – WowBow Feb 08 '17 at 00:55
  • @Fei Xue, Any thoughts on this ? – WowBow Feb 08 '17 at 18:56
  • There is only one release version(**v1.0**) and beta version for the Microsoft Graph. For the issue not able to get the access token, is there any detailed error message? In addition, for the new issue, I still suggest to reopen a new thread so that other communities who have same issue can recognize the issue and share their experience quickly. – Fei Xue Feb 09 '17 at 06:32
  • @WowBow we offer dozens of code samples for help with Azure AD that may serve as a good reference. Try https://github.com/azure-samples and search for `active-directory-` and you'll get a bunch. Alternatively, to see the entire set of docs, go to aka.ms/aaddev. – Daniel Dobalian Feb 09 '17 at 19:12