0

When trying to call two different resources after being authorised through the redirect URL, the first call finishes and the second call fails to refresh its token with "HTTP 401 Unauthorized".
In the code below the call to the second service always fails (even when changing the order of the calls or calling the first service multiple times)

ApplicationTokenCredentials applicationTokenCredentials = new ApplicationTokenCredentials(clientId, domain, secret, AzureEnvironment.AZURE);
DelegatedTokenCredentials delegatedTokenCredentials = new DelegatedTokenCredentials(applicationTokenCredentials, redirectUrl, code);
Azure.Authenticated azureAuth = Azure.authenticate(delegatedTokenCredentials);

//First call - resource : https://management.core.windows.net/
azureAuth.subscriptions().list();

//Second call - resource : https://graph.windows.net/
azureAuth.servicePrincipals().list();

After some debugging i found that the following function on the Azure SDK fails : (com.microsoft.azure.credentials.RefreshTokenClient)

AuthenticationResult refreshToken(String tenant, String clientId, String resource, String refreshToken, boolean isMultipleResourceRefreshToken) {
    try {
        RefreshTokenResult result = service.refreshToken(tenant, clientId, "refresh_token", resource, refreshToken)
            .toBlocking().single();
        if (result == null) {
            return null;
        }
        return new AuthenticationResult(
            result.tokenType,
            result.accessToken,
            result.refreshToken,
            result.expiresIn,
            null,
            null,
            isMultipleResourceRefreshToken);
    } catch (Exception e) {
        return null;
    }
}
iddqd
  • 1,225
  • 2
  • 16
  • 34
  • Have you granted the azure ad graph api permission to your AD App? – Joy Wang Sep 12 '19 at 06:19
  • Yes, also if i call the graph api first than it works fine and the request to management api fails. The second call always fails. – iddqd Sep 12 '19 at 07:39
  • Have you changed the resource to the correct one when you use the first refresh token to request the new access token and second refresh token? – Joy Wang Sep 12 '19 at 08:14
  • Not sure i follow. I run the code mentioned above - is there some step i am missing? – iddqd Sep 12 '19 at 09:13
  • The code looks fine, but I am not sure if you pass the correct `resource` in the refreshToken()? I mean if you use the refresh token to acquire the new access token with resource `https://management.core.windows.net/`, then the new access token will not be able to call the azure ad graph api `https://graph.windows.net/`. – Joy Wang Sep 12 '19 at 09:19
  • The refreshToken() code is part of the Azure SDK.https://github.com/Azure/autorest-clientruntime-for-java/blob/a55f87f3cc3a68742a2ac94c031c6d715965a9c2/azure-client-authentication/src/main/java/com/microsoft/azure/credentials/RefreshTokenClient.java – iddqd Sep 12 '19 at 09:31

1 Answers1

1

The 1.6.13 release for the azure-client-authentication fixes the issue by removing the RefreshTokenClient and replacing it with the refresh token utility in the adal4j library: https://github.com/Azure/autorest-clientruntime-for-java/releases/tag/v1.6.13. You can try updating to this version.

ljhljh235
  • 51
  • 1
  • 10