question

AkhleshVerma-4607 avatar image
0 Votes"
AkhleshVerma-4607 asked AkhleshVerma-4607 commented

How to create Azure AD app using service principal credentials with Microsoft Graph API using GO SDK

I am getting 403 error with below code:
error i am getting
error": "graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Unknown\" Message=\"Unknown service error\" Details=[{\"odata.error\":{\"code\":\"Authorization_RequestDenied\",\"date\":\"2021-12-23T11:41:23\",\"message\":{\"lang\":\"en\",\"value\":\"Insufficient privileges to complete the operation.\"},\"requestId\":\"f192ac37-8b05-4a81-a582-13f0f5ca3594\"}}]"



I am Initializing Appclient using below code and call Create() function to create app.

appClient := graphrbac.NewApplicationsClient(tenantID)
credConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
//credConfig.Resource = azure.PublicCloud.ResourceIdentifiers.Graph
credConfig.Resource = "https://graph.microsoft.com"
authorizer, err := credConfig.Authorizer()
if err != nil {
return appClient, err
}
appClient.Authorizer = authorizer`

Also below are the API Permission from MS Graph API.
160285-api-permission.png


microsoft-graph-sdkazure-ad-app-registrationmicrosoft-graph-applications
api-permission.png (205.1 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, @AkhleshVerma-4607, 403 error usually represents a permission issue. As I don't know the specific permission you want to request, I recommend using the Graph Explorer or postman first to request API, in order to check if your account has the privilege to request API or use JWT to check if your access token contain the permission that your need.


0 Votes 0 ·

Thanks for the response @zehuiyaomsft-7151, Actually the 403 error is due to Windows AD Graph API call, you can see in code snippet that by default azure-sdk-for-go call Windows AD Graph API instead of Microsoft Graph API call, so i tried changing endpoint as you can see below :

appClient := graphrbac.NewApplicationsClient(tenantID)
credConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
//credConfig.Resource = azure.PublicCloud.ResourceIdentifiers.Graph
credConfig.Resource = "https://graph.microsoft.com"
authorizer, err := credConfig.Authorizer()
if err != nil {
return appClient, err
}
appClient.Authorizer = authorizer`


where azure.PublicCloud.ResourceIdentifiers.Graph is endpoint for windows azure ad Graph API(i.e. "https://graph.microsoft.net") and "https://graph.microsoft.com" is for Microsoft Graph API, which is not working with current code present in https://github.com/Azure/azure-sdk-for-go/blob/main/services/graphrbac/1.6/graphrbac/applications.go#L121

I am referring code present in https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/graphrbac/graph.go#L25

0 Votes 0 ·

Hi, @AkhleshVerma-4607, thanks for your reply, and I wonder if the code is worked? So that we can continue to discuss this issue.

0 Votes 0 ·

Yeah I see, I suggest that it would be batter to decode your access token to make sure you can use Azure Ad Graph to acquire MS Graph permission.

0 Votes 0 ·

From where i can get access token for the api request ? do i need to enable some debug print ?
Please suggest as i am unaware about the access token for api.

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @AkhleshVerma-4607,

Thanks for reaching out.

As per the request id and timestamp ("requestId":"f192ac37-8b05-4a81-a582-13f0f5ca3594" & date:"2021-12-23T11:41:23"), I see that the token was still created with the Azure AD Graph audience "https://graph.windows.net/" rather than the Microsoft Graph audience "https://graph.microsoft.com/", which results in the HttpStatusCode:403:Authorization RequestDenied error.

161186-image.png

As a result, I'd like to request that you revisit and decode your code to ensure that the audience (aka resource) is set to Microsoft Graph: https://graph.microsoft.com/. Additionally, you may check the audience by decoding access token from https://jwt.ms.

Based on my research, I believe you should develop an AuthenticationProvider object as explained below articles which authenticate request to Microsoft Graph. See select a Microsoft Graph authentication provider for an example of how to obtain an authentication provider.

msgraph-sdk-go: https://github.com/microsoftgraph/msgraph-sdk-go
sdk-go-core: https://github.com/microsoftgraph/msgraph-sdk-go-core
msgraph-beta-sdk-go: https://github.com/microsoftgraph/msgraph-beta-sdk-go


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (9.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkhleshVerma-4607 avatar image
0 Votes"
AkhleshVerma-4607 answered sikumars commented

Hi @sikumars-msft ,
I tried to create authorisation provider as per your suggestion from https://github.com/microsoftgraph/msgraph-sdk-go-core example, but getting error as it is not inherited autorest.Authorizer interface.

below is the code :

func getApplicationsClient(clientID, clientSecret, tenantID string) (graphrbac.ApplicationsClient, error) {

appClient := graphrbac.NewApplicationsClient(tenantID)
cred, err := azidentity.NewClientSecretCredential(
tenantID,
clientID,
clientSecret,
nil,
)
if err != nil {
log.Error(err, "Failed to get Secret Credential")
return appClient, err
}
auth, err := azureauth.NewAzureIdentityAuthenticationProvider(cred)
if err != nil {
log.Error(err, "Failed to get authentication provider")
return appClient, err
}
appClient.Authorizer = auth
appClient.AddToUserAgent("cloudcasa-agent")
return appClient, nil
}

It is giving me compilation error,
*microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider does not implement autorest.Authorizer (missing WithAuthorization method)
../../amdslib/s3provider/provider/azure/azurebackupprovider.go:286:22: cannot use auth (type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider) as type autorest.Authorizer in assignment:


Also there is nothing i found in microsoft Graph code which is using "autorest" package i.e.
" github.com/Azure/go-autorest/autorest"
" github.com/Azure/go-autorest/autorest/azure"
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm assuming you're using the client credential flow provider to authenticate and obtain tokens for Microsoft Graph via the Go SDK; the sample below serves as a reference. I've added the tag 'microsoft-graph-sdk' to this thread in order to get assistance from the Graph SDK team. Additionally, please keep in mind that the Microsoft Graph SDK for Go is currently in preview. This SDK is not recommended for production use.

Here is similar thread for your reference: https://github.com/Azure/azure-sdk-for-go/issues/4265. Hope this helpful.




 import (
     "context"
    
     azidentity "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
     a "github.com/microsoft/kiota/authentication/go/azure"
     msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
 )
    
 cred, err := azidentity.NewClientSecretCredential(
     "TENANT_ID",
     "CLIENT_ID",
     "CLIENT_SECRET",
     nil,
 )
    
 auth, err := a.NewAzureIdentityAuthenticationProviderWithScopes(cred, []string{"User.Read"})
    
 adapter, err := msgraphsdk.NewGraphRequestAdapter(auth)
    
 client := msgraphsdk.NewGraphServiceClient(adapter)
    
 result, err := client.Me().Get(nil)
0 Votes 0 ·
AkhleshVerma-4607 avatar image
0 Votes"
AkhleshVerma-4607 answered ZehuiYaoMSFT-7151 commented

Hi,

I am trying to create Azure AD app using the code present on https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 , but since the Windows Active directory Graph API are obsolete and we need to use Microsoft Graph API instead.

I am getting this 403 error. So my question is how we can create Azure AD app using https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 this code by calling Microsoft Graph API from this code.


The code you mentioned above is same as i have posted in my previous comment, but as i said i am having compilation error with that and the reason is type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider has not implemented autorest.Authorizer interface.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, @AkhleshVerma-4607 , Could you please decode your access token in JWT and share your screenshot? As we can acquire many useful information from it, so that we can better find the cause of the 403 error.


0 Votes 0 ·

From where i can get access token for the api request ? do i need to enable some debug print ?
Please suggest as i am unaware about the access token for api.

0 Votes 0 ·

Hello @AkhleshVerma-4607 , you can use Postman to get access token.

0 Votes 0 ·
AkhleshVerma-4607 avatar image
0 Votes"
AkhleshVerma-4607 answered AkhleshVerma-4607 edited

Hi @zehuiyaomsft-7151,


Please find screenshot for the decoded access token:
162124-graph-token.png



graph-token.png (167.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkhleshVerma-4607 avatar image
0 Votes"
AkhleshVerma-4607 answered AkhleshVerma-4607 commented

Just to update you that I can create app using postman with the help of Microsoft Graph API, but from my code i am getting 403 error, it seems that azure-sdk-for-go is still using windows Graph API.

Is there any way we can tweak it and use Microsoft Graph API ?
https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/graphrbac/graph.go#L53 I am basically pointing to this function.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AkhleshVerma-4607 , I need to discuss with my colleagues and I’ll reply you immediately if there are any updates.

0 Votes 0 ·

@AkhleshVerma-4607 , can you use your access token to request API in postman? Like this, if it succeeds, we can infer that the problem lies in the code. I just tested it locally with the same permissions as you, and it worked.
162328-image.png



0 Votes 0 ·
image.png (33.6 KiB)

Hi @ZehuiYaoMSFT-7151,


I already did that, I can create application using postman, please see the attached image below:

162394-app-graph.png


0 Votes 0 ·
app-graph.png (163.8 KiB)

Hi @AkhleshVerma-4607, Can you provide the latest error message, including request Id and date, and then we can try to analyze the error from the background.

0 Votes 0 ·
Show more comments