0

I'm trying to do an Authorization request following the documentation about it on Microsoft (Getting access on behalf of a user: https://learn.microsoft.com/en-us/graph/auth-v2-user). I'm making the request using Azure's Logic Apps. I already made an app registration in Azure AD and gave it the following permissions (I used the app for a few different requests before so that's why it contains a lot of unnecessary api permissions). I already succeeded in getting access without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service). Now I really don't know what I'm doing wrong, so if anybody has an idea of what it is, please let me know. I will try to explain as carefully as possible using screenshots so you guys get the idea of what I'm trying to do.

On the first screen below you can see the api permission I added to my app registration. For this request I'm only asking authorization for the one with arrow next to it(as you will see later on).

enter image description here

On the second screen you can see the HTTP post request I'm trying to make to the authorize endpoint. I blurred out the Tenant and Client_id for privacy reasons. I only added the required parameters in the body as described by Microsoft. In the scope parameter you can see the api permission I'm asking permission for.

HTTP POST request

On the third screenshot you can see the output of the request. Instead of getting an Authorization code as requested, I get an HTML body.

enter image description here

When I paste that HTML body into a browser it gives me the following result:

enter image description here

I have no clue what I'm doing wrong. I tripled checked to make sure cookies are enabled, made sure third-party cookies are not disabled and added login.microsoftonline to my trusted websites.

I'm starting to think I'm doing something very simple wrong, but I can't figure out exactly what. Any help is welcome! :D

Felix Bing
  • 13
  • 8

1 Answers1

2

Sorry can't add a comment so posting as an answer

What you are trying to implement is the Authorization Code grant flow of OAUTH 2.0. In Authorization code grant flow following steps occur 1) User is presented with the scopes that an application requires when accessing certain resources, 2) The user authorizes this. and the user is redirected to a redirect url 3) The application then exchanges the code sent with the redirect url to get the actual token which in this case will be sent to the Microsoft Graph for validation. 4) User then sees the information pulled.

The major crux of Authorization Code grant flow is that "User Authorization is required" This basically means that this flow is used when the call is invoked from a browser client where the user is actually interacting. This flow should not go through the Azure Logic Apps. If you want a service or a daemon to access the resources in that case you should use Client Credentials Grant flow

Mandar Dharmadhikari
  • 1,079
  • 5
  • 6
  • This is correct. You cannot use an interactive flow in a logic app. If I recall correctly, you can authorize a logic app to act on your behalf by choosing to use the AAD authentication for an HTTP request block. You can also use Managed Identity to call an API with no credentials in the app. Assigning permissions to the managed identity ranges from easy to PowerShell though. – juunas Mar 10 '20 at 06:32
  • If I understand correctly (and according to the OAUTH 2.0 Authorization Framework, step 4.1 for Authorization Code grant flow and step 4.4 for Client Credentials grant flow: [link](https://tools.ietf.org/html/rfc6749)), I immediately have to do an Access Token request? But does this allow me to use Delegated permissions or not? Because I would like to try out Delegated permissions (and I thought this equals to doing this: [link](https://docs.microsoft.com/en-us/graph/auth-v2-user)) instead of Application permissions (doing this: [link](https://docs.microsoft.com/en-us/graph/auth-v2-service)). – Felix Bing Mar 10 '20 at 08:26
  • For example, if I want to use this API: `https://graph.microsoft.com/v1.0/me/drive/root:/Test1/book.xlsx`, it somehow never works, while the user I am signed it with on Azure is the same user I am logged in with on OneDrive. At the same time, doing this: `https://graph.microsoft.com/v1.0/users/8951924ub-65851-559ce5-585fefef/drive/root:/Test1/book.xlsx`, where the Azure AD user-id behind `/users` is the user-id of the user I am signed in with, so the same as `/me`, works perfectly fine. Is this because `/me` requires Delegated Permissions? – Felix Bing Mar 10 '20 at 08:47
  • Can you please share the exact requirement here? Maybe we can share a more suitable answer – Mandar Dharmadhikari Mar 10 '20 at 11:27
  • I got the task to read rows from a table in the folder on the OneDrive of the current user (the signed-in user), and I'm not supposed to use a connector made by Microsoft, for example the OneDrive connector in this case. So what I would like is for this `https://graph.microsoft.com/v1.0/me/drive/root:/Test1/book.xlsx` HTTP GET request to firstly return me the metadata about the xlsx file. Sadly I don't know how I can get `/me` to be usable (from within the Logic App). – Felix Bing Mar 10 '20 at 11:40
  • Logic Apps is nothing but a workflow, an orchestration if you will, Logic Apps ideally are supposed to be run using managed identities or service accounts which have minimum permissions to do tasks. What you need is to get the context of the logged in user. Hence Logic App is not directly useful and you need to query using the (/users/{idOrUserPrincipalName}/drive) . Is there a front end available in this scenario? – Mandar Dharmadhikari Mar 10 '20 at 12:00
  • Have you checked out [link](https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/?view=odsp-graph-online) MSDN doco? – Mandar Dharmadhikari Mar 10 '20 at 12:10