Azure AD authentication via REST to an AAD enterprise App

Question

I am using ADAL4j to attempt to authenticate to our onprem sharepoint instance (which itself is using AAD to authenticate as an enterprise app) to authenticate users when coming in through the standard flow.

I have set up my consumer AAD app to require the permission to "access {on prem sharepoint enterprise app}". I am then making a request to a url that looks like:

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
                      response_type=code&scope=user_impersonation&
                      response_mode=form_post&
                      redirect_uri={uri that is registered in my app}&
                      client_id={my app id}&
                      resource={onprem sharepoint enterprise app id}&
                      state={GUID}&nonce={GUID}

The response I receive is 401 UNAUTHORIZED:

{
  "error": "invalid_client",
  "error_description": "Invalid audience Uri '{onprem sharepoint enterprise app id}'."
}

Any ideas on what could be going wrong here? My searches have not been very fruitful and logically it seems like it should work. Is there some setting on the enterprise app side of things to allow certain clients to access the resource?

Thanks for the help!

Have you added the sharepoint resource in your apps `Permissions` it's requesting access for? Can be done in the Azure portal in the `settings` blade. — Daniel Dobalian, Sep 11 '18 at 23:32
Yes. in the application (called search-api) I have enabled access to the sharepoint onprem resource. Is there another step after adding this? — Anthony, Sep 12 '18 at 00:00

score 0 · Answer 1 · answered Sep 12 '18 at 01:33

0

You should replace resource={onprem sharepoint enterprise app id} with the App ID URI of onprem sharepoint enterprise app (secured resource). For the details, you could refer to the Oauth 2.0 grant flow.

answered Sep 12 '18 at 01:33

SunnySun

1,900
1
6
8

Still seems like the same result: {"error":"invalid_client","error_description":"Invalid audience Uri 'urn:sharepoint:{hostname of onprem sharepoint}'."} Will take a better look at the page linked to see if I can find any holes. – Anthony Sep 12 '18 at 02:12
For the new error, you should check your hostname of onprem sharepoint to make sure the correct name. – SunnySun Sep 12 '18 at 02:29
I have confirmed that the URN matches the hostname of the onprem sharepoint – Anthony Sep 12 '18 at 02:46
@Anthony, could you replace the resource value with `https://graph.windows.net`. And then you try again. – SunnySun Sep 19 '18 at 09:13
Thanks for the suggestion, Sunny. After doing that, I am getting the following errors: 2018-09-19 11:04:47 DEBUG wire:86 - http-outgoing-1 << "{"error_description":"Invalid JWT token. Could not resolve issuer token."}" 2018-09-19 11:04:47 DEBUG headers:124 - http-outgoing-1 << HTTP/1.1 401 Unauthorized 2018-09-19 11:04:47 DEBUG headers:127 - http-outgoing-1 << Server: Microsoft-IIS/10.0 2018-09-19 11:04:47 DEBUG headers:127 - http-outgoing-1 << x-ms-diagnostics: 3000006;reason="Token contains invalid signature.";category="invalid_client" – Anthony Sep 19 '18 at 18:26
I find a [blog](http://aurramu.blogspot.com/2015/04/an-unhandled-exception-occurred-during.html), maybe you can refer to it to have a try. Hope it can help you. – SunnySun Sep 20 '18 at 02:15

Azure AD authentication via REST to an AAD enterprise App

1 Answers1