13

I'm following this guide to authenticate with Microsoft Graph. I am able to successfully do the first request (for an authorization code) but am having issues with the second request (requesting an access token).

Params for the second request (for access token):

client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read

Error from second request:

{
  "error": "invalid_resource",
  "error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
  "error_codes": [
    50001
  ],
  "timestamp": "2017-05-03 15:25:42Z",
  "trace_id": <my trace id>,
  "correlation_id": <my correlation id>
}

However, my request works fine (returns a bearer and refresh token) if I add this extra parameter:

resource: https://graph.microsoft.com/

I don't see this resource parameter mentioned anywhere in the docs except the example under Getting an access token on this page.

My questions are:

  1. Why am I getting the above error when my request seems to match the documentation?
  2. When do I need to include the resource parameter?

EDIT: See Marc's answer below and my comment response.

Turns out I was using the following URLs:

https://login.microsoftonline.com/common/oauth2/authorize https://login.microsoftonline.com/common/oauth2/token

when I should have been using:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

After using the ones with v2.0, I didn't need to include my resource parameter in the token request anymore.

twbbas
  • 407
  • 3
  • 9
  • 19

2 Answers2

9

It looks like your providing the correct properties but not in the correct format. To get the token you need to issue a POST this data formatted for application/x-www-form-urlencoded to https://login.microsoftonline.com/common/oauth2/v2.0/token. From your example, it looks like your sending your data as JSON rather than x-www-form-urlencoded.

POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
           client_id=[APPLICATION ID]&client_secret=[PASSWORD]
           &scope=[SCOPE]&redirect_uri=[REDIRECT URI]

I wrote up a Microsoft v2 Endpoint Primer a few months back that might help walk you through the procedure.

Ohad Schneider
  • 36,600
  • 15
  • 168
  • 198
Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Hi Marc, thanks for the response and great blog post. I formatted my parameters kind of weird in my question. I am sending it via POST to https://login.microsoftonline.com/common/oauth2/v2.0/token with content type: application/x-www-form-urlencoded and my params through the body. In case it matters, I've just been using Postman for now but will be eventually doing this through Java (but not on Android). So, I'm still doing everything as you said in your answer and in your blog post but still getting the same error. Do you have any other ideas? Or need me to provide other details? – twbbas May 04 '17 at 21:07
  • Understood. Can you add the full URIs your calling and the headers? – Marc LaFleur May 04 '17 at 22:17
  • 2
    Figured it out! After your suggestion, I looked closer at my URLs and it turns out I was using `https://login.microsoftonline.com/common/oauth2/authorize` and `https://login.microsoftonline.com/common/oauth2/token` (without the `v2.0`) and that was the issue. I'm not sure how I ended up with mismatched URLs but that was the issue. I just simply set both to `v2.0` and everything started working. I'll accept your answer since it is correct. I'll be sure and include the full URLs from the start. – twbbas May 05 '17 at 12:57
0

According to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code,

The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured.

According to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes,

...The same is true for any third-party resources that have integrated with Azure AD. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks.

And then

By defining these types of permissions, the resource has fine-grained control over its data and how the data is exposed. A third-party app can request these permissions from an app user. The app user must approve the permissions before the app can act on the user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. App users can know exactly how an app will use their data, and they can be more confident that the app is not behaving with malicious intent.

So, to answer 1) I think you just need to specify the user.read permission in the Azure AD page for your application. To answer 2) you wouldn't specify a resource for a third-party application.

piisexactly3
  • 779
  • 7
  • 16
  • This is for a Microsoft Graph app (not Azure AD) and I do have the user.read delegated permission set on the Microsoft Graph app page. – twbbas May 03 '17 at 18:49
  • You've linked to a Azure AD guide, which is the source of my confusion. You probably need to enable Azure AD permissions to get that example to work. – piisexactly3 May 03 '17 at 18:59