search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
231 stars 108 forks source link

Invalid audience #90

Closed aske-cph closed 5 years ago

aske-cph commented 5 years ago

I am trying to list all users calendars in an Azure AD tenant from a crohn job on a server. So i used the client credentials grant flow.

So basically i have to connect to Azure AD and query for the calendars but i am no quite sure what endpoint to hit / how to query the Api that i have exposed.

In other words i suppose i am looking for an API endpoint like https://graph.microsoft.com/myorganisation/someendpoint that my 3rd party server party can Get/Post to with an accesstoken to list and modify user calendars on the Tenant.

I keep getting "invalid audience" when trying to get a response.

I have created an application in Azure, created a secret, exposed an API - and lastly given it permissions to https://graph.microsoft.com/Calendars.ReadWrite. . I get a token successfully with:


$provider = new \TheNetworg\OAuth2\Client\Provider\Azure([
    'clientId'     => env('OAUTH_APP_ID'),
    'clientSecret' => env('OAUTH_APP_PASSWORD'),
]);
$provider->tenant = 'SECRET';
$token = $provider->getAccessToken('client_credentials', [
    'resource' => 'https://graph.windows.net',
]);

$provider->urlAPI = "https://graph.microsoft.com/v1.0/";
$provider->resource = "https://graph.microsoft.com/";

Response:


{
"token_type": "Bearer",
"ext_expires_in": "3600",
"expires_on": "1562669834",
"not_before": "1562665934",
"resource": "https://graph.windows.net/",
"access_token": "longstringofnumbers",
"expires": 1562269224
}

So i get a token. So far so good.

But how do i query the Api that i created in the portal?

I want to list all calendars, but if i look at the "Application ID URI:

api://51ed7b6d-d33e-491e-9dhd0-d4436d29501/

and with the scope: api://51ed7b6d-d33e-491e-9dhd0-d4436d29501/readwritecalendars (i called the "scope" readwritecalendars)

Okay but where do i put this "scope" - you can't query a URL starting with api://? So where should i insert the "api://51ed7b6d-d33e-491e-9dhd0-d4436d29501/readwritecalendars" string?

The docs doesn't seem to explain how to actually access the api? what link should i use?

Looking at the outlook docs https://docs.microsoft.com/en-us/graph/api/user-list-calendars?view=graph-rest-1.0&tabs=http and it says i need to query like: GET /me/calendars

This doesn't make sense to me since "/me" implies this has something to do with a person, i am trying to access all calendars of the Tenant (organisation).

Trying to query the Microsoft graph Api basically after i get the token and i just get "invalid_audience".

    $provider->urlAPI = "https://graph.microsoft.com/v1.0/";
    $provider->resource = "https://graph.microsoft.com/";
    $provider->get('me',$token);

So to be more precise, how do i query for all all calendars in the Tenant? How do i access this specific Api, and where do i put the actual query? like List all calendars or, modify this specific calendar etc.

Thanks in advance!

aske-cph commented 5 years ago

Got it working with:

    $provider = new \TheNetworg\OAuth2\Client\Provider\Azure([
        'clientId'     => env('OAUTH_APP_ID'),
        'clientSecret' => env('OAUTH_APP_PASSWORD'),
    ]);
    $provider->tenant = env('AZURE_TENANT');
    $provider->urlAPI = "https://graph.microsoft.com/v1.0/";
    $provider->resource = "https://graph.microsoft.com/";
    $token = $provider->getAccessToken('client_credentials', [
        'resource' => 'https://graph.microsoft.com',
    ]);
    $currentCalendarEvents = $provider->get('users/some@some.com/calendars/Calendar/events?$top=1000', $token);

Moved the provider->urlApi and resource up above the request.