search

AzureAD / MSAL.PS

MIT License
159 stars 29 forks source link

Adjust the resource parameter in the oauth2/token request #27

Closed MINDoSOFT closed 2 years ago

MINDoSOFT commented 3 years ago

Hi everyone,

is it possible to somehow adjust the resource used to acquire the token ?

When I use postman I am able to do something like

grant_type=client_credentials&
client_id=FOO&
client_secret=BAR&
resource=https://vault.azure.net

And then I receive an access token which I can use to call Azure Key Vault related rest APIs e.g. GetKey

I saw that I can adjust the scope in MSAL.PS when I call the 

Get-MsalToken $clientApplication -Scopes 'https://vault.azure.net/.default'

But after giving this scope I receive the error

Invoke-RestMethod : {
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure. Invalid audience.",
    "innerError": {
      "date": "2021-02-26T07:33:39",
      "request-id": "157067be-77a3-4c85-b31e-7e4f5249e00c",
      "client-request-id": "157067be-77a3-4c85-b31e-7e4f5249e00c"
    }
  }
}

In postman I was able to resolve this error by adjusting the resource. But I am not able to find this configuration in MSAL.PS.

Thank you very much for your help.

powershellshock commented 3 years ago

Hello. If I understand your scenario correctly, you are confusing resources with scopes. The resource is supposed to be set to the invoking app. Your app is not Azure Key Vault, so that is why the audience validation is failing, I think. Your resource parameter will need to match a URI of your registered app as reflected in AAD.

Scopes are different and specify the permissions needed by your app, which is permission to access Azure Key Vault. So, you should be able to continue to use this scope for your application, once you fix the resource/audience problem. You may need admin privileges in Azure AD to consent to your apps permissions.

jazuntee commented 2 years ago

@MINDoSOFT The resource is defined as part of the scope like you did. I have personally used MSAL.PS to get tokens for the Key Vault APIs and had no issues. I used the user_impersonation scope directly, https://vault.azure.net/user_impersonation but it should work with .default as well as long as the scopes are defined and consented to on the app in your tenant.

MINDoSOFT commented 2 years ago

Thank you for your replies ! Will close this because I no longer work on this project. Thank you for your time.