Question 105618 in Azure Question posted in
The official documentation to get you started can be found here.

Access token retrieved from Azure using OAuth2 does not contain permission

I am working on a solution that needs to retreive email from a mailbox from a tenant using MS Graph API.
The solution needs to run in the background, with no use input (eg call login page for email in browser)
I have registered an Azure application, and have Admin consent for the MS Graph API:
Api permissions

My VB code is as follows (client_id, client_secret, tenant has been removed as confidential):

Dim http As New Chilkat.Http
Dim req As New Chilkat.HttpRequest

Dim json As New Chilkat.JsonObject

' Use the application ID for the client_id.
' (In Azure App Registrations, use the Application (client) ID)
req.AddParam(client_id, )
req.AddParam(client_secret, )
req.AddParam(tenant, )

req.AddParam(scope, https://graph.microsoft.com/.default)
'req.AddParam(username, )
'req.AddParam(password, )
req.AddParam(grant_type, client_credentials)


Dim resp As Chilkat.HttpResponse
' Replace {tenant} with your tenant ID, such as 112d7ed6-71bf-4eba-a866-738364321bfc.

resp = http.PostUrlEncoded(https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, req)


If (http.LastMethodSuccess True) Then
Debug.WriteLine(http.LastErrorText)
Exit Sub
End If


Dim statusCode As Integer = resp.StatusCode
Debug.WriteLine(response status code: statusCode)
Debug.WriteLine(response body:)
Debug.WriteLine(resp.BodyStr)

I can see the above connecting to the Azure app. However, no permission (scope) is returned in the access token.
When I connect to MS Graph via browser, the token has all the required scope.
Can you please help/advise why I am unable to retreive token with permissions from the MS Graph API in vb?

Tags:

2

Answers


  1. 0

    Please note that, you cannot get scp claim in the token, as
    user is not involved in generating token from client_credentials
    grant type    .

    I assigned the same API permissions to my application like below:

    enter image description here

    When I decoded the access token(generated using client credentials grant type), scp claim is not present in the token like below:

    enter image description here

    You have to use authorization code flow grant type to get
    scp claim in the decoded token, where user interaction is involved.

    When I decoded the access token generated using authorization code flow, got scp claim successfully in the token like below:

    enter image description here

    To know more about authorization code flow, please refer below link:

    Microsoft identity platform and OAuth 2.0 authorization code flow – Microsoft Entra | Microsoft Docs

    Login or Signup to reply.
  2. 0

    You are using a client_credentials flow, which is an app-only context authentication.

    The scp claim is only for user based authentication.

    If you want to use the client_credentials flow, you will need to grant Application permissions on your app registration, instead of Delegated.

    These applications permissions will then be present inside a roles claim. You can check the description of these claims here:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search