2

I have some troubles trying to call an Azure Function (code) with Postman.

I have already set up the Authentication / Authorization and settings.

It's working with my browser (with login page).

But when I try to use Postman, I'm getting 401 :

"You do not have permission to view this directory or page."

I also tried to use the Postman built-in (see configuration) Oauth2 to login. I can successfully get the tokens (access and refresh). But it seems that my API request to functions are not working...

Here is the final API Call: postman screenshot

The aad tenant_id starts with 8d6, the application client_id starts with 226, and the app secret ends with Av2.

Is there anything wrong ... ? It looks like actually, Azure Functions handle only Cookies for the authentication, that's why it's working with the browser and not Postman. How can I make it works with the header Authorization / Bearer ?

Thanks for your help !

monsty
  • 605
  • 4
  • 12
  • please refer to https://stackoverflow.com/questions/53499971/azure-function-authentication-using-azure-active-directory –  Aug 14 '19 at 14:57
  • Already tried ... Still not working – monsty Aug 14 '19 at 16:15
  • Did you try using the x-zumo-auth header? – Turbo Aug 14 '19 at 19:46
  • Look at the value of the access token through jwt.js and see whether the audience claim value equals the id of your function app as registered in AAD? I suspect that when you accessed the API through the browser, EasyAuth executed OIDC authentication to your Function and this returned an id_token with the id the function as aud. However, in your Postman you are not specifying a resource or scope so the token you get is for Graph API. – Marc Aug 14 '19 at 21:16

1 Answers1

2

The way you got the access token is not correct. Just like @Marc said, in your Postman you are not specifying a resource or scope. The postman get new access token tool only has the scope parameter, so you should use the v2.0 endpoint to get the access token.

Auth URL: 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

Access Token URL: 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Scope:

{clientId}/.default

enter image description here

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • Thanks guys, it works ! You were right, the scope was missing ... Is there a lot of difference between the default and the v2.0 endpoint ? – monsty Aug 15 '19 at 06:38
  • @monsty See the difference here. https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison – Tony Ju Aug 15 '19 at 06:50
  • You sir/madam are brilliant. The client_id/.default scope is what did it for me. I couldn't just use the graph scope. – Devin Prejean Jun 04 '20 at 14:11