1

I have setup an Office 365 E3 trial account. I registered two apps in AAD.

The first one uses the "authorization code flow" and does work as expected (can access the logged in users calendar).

The second app uses the "client credentials flow" and does not work.

  1. login in Browser (Edge)

    GET /OAuthTest3 HTTP/1.1

HTTP/1.1 302 Found
Location: https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<app_id>&redirect_uri=http://localhost:1234/OAuthTest3

GET /OAuthTest3?admin_consent=True&tenant=<tenant> HTTP/1.1

HTTP/1.1 200 OK

  2. connect to https://login.microsoftonline.com/

    POST /<tenant>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com

client_id=<app_id>&
client_secret=<client_secret>&
grant_type=client_credentials&
redirect_uri=http://localhost:1234/OAuthTest3&
resource=https://graph.microsoft.com/&
scope=https://graph.microsoft.com/calendars.readwrite


HTTP/1.1 200 OK
{
  "token_type": "Bearer",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1504333342",
  "not_before": "1504329442",
  "resource": "https://graph.microsoft.com/",
  "access_token": <token>
}

  3. connect to https://graph.microsoft.com/

    GET /v1.0/users/<user>/calendars HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <token>

HTTP/1.1 403 Forbidden
{
    "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
        "innerError": {
            "request-id": "e7228de4-2b27-4779-abef-ccab0d88970a",
            "date": "2017-09-02T05:22:27"
        }
    }
}
Improve this question
2

1 Answer 1

Reset to default
1

In order to use Client Credentials flow in AAD V2.0, you need to first object Admin Consent for your application. This is true even if you wouldn't need consent for the same scope using Authorization Code grant.

Take a look at v2 Endpoint and Admin Consent for a walk-through on obtaining consent.

UPDATE:

Scopes work differently with Client Credentials. Rather than dynamically requesting the scopes using a space delimited list (https://graph.microsoft.com/user.read https://graph.microsoft.com/calendars.readwrite), you need to define them in your app's registration.

This is done using the https://apps.dev.microsoft.com portal. In your app's registration, find the "Application Permissions" section and click the "Add" button. This will pop a dialog where you can select the permissions you need:

permissions

In your application, you also need to change your scope parameter so the system knows to use the scopes from your registration. This is done by passing https://graph.microsoft.com/.default for the scope:

POST /<tenant>/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com

client_id=<app_id>&
client_secret=<client_secret>&
grant_type=client_credentials&
redirect_uri=http://localhost:1234/OAuthTest3&
resource=https://graph.microsoft.com/&
scope=https://graph.microsoft.com/.default

Important: Any time you make a change to your scopes, you will have to re-execute the Admin Consent flow before those new scopes will consented.

Improve this answer
0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.