I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message while using the generated token in another API request.
"Authorization denied for this request"
I have referred the below URL:
Azure access token generation from Postman
The problem is with the generated token. I tried to verify token on the JWT.io site. As per find we are not getting any scope added in the generated token.
I’m currently Scopes with delegated permission. Please suggest what should I do?
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id:As per id generation by azure.
Header#
Content-Type: application/x-www-form-urlencoded
Body# (Form-data)
grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo
2
Answers
First of all, you had
grant_type:client_credentialsso you are using client credential flow. This flow means the access token would be generated on behalf of the application itself so it doesn’t require a user to sign in, and the api permission should beApplicationtype. And Kiron’s answer is out of date because what he showed you used V1.0 flow so you haveresource:Required URL, but we are now using V2.0 flow which request parameter should bescope: xxxx/.defaultfor client credential flow.So first you should follow this section to expose an API. We need to create a role instead of add a scope. Then you can go to add API permission, going to the Azure AD app -> API permission blade -> add api permission -> choose My APIs -> the application you exposed API -> choose Application permissions -> you will see the role you created and add this API permission -> grant admin consent if you required. Then you can see like this which means the API already added and consented.
And if you click this api permission, you will see the scope url like
api://client_id/role_nameNow, let’s go to postman to send request like this, the scope must be ended with
/.default. The app exposing API and the API you used to get authentication can be different, so the value ofclient_idandclient_id_exposing_APIcan be different when you don’t use the same APP.We can decode the generated access token to check if it contained
rolesclaim which containing the role you created.When using this token but still failed to call your API, then it should be another story and you may need to share how you configure your API application.
I tried to reproduce the same in my environment and got the same error as below:
To error usually occurs if the access token doesn’t have sufficient permissions to perform the action.
To resolve the error, try the below:
Make sure to add the API permissions based on your requirement:
Now, Generate the auth-code by using below endpoint:
I generated access token by using below parameters:
When I decoded the token, the scope is displayed like below:
For sample, by using the above generated access token I called the Graph API like below:
Hence, if you are exposing an API and adding the scope it will be delegated. You must make use of User Interaction Flows.
If you want to generate access token on behalf of user then create App Roles and generate token via Client Credential flow.