Scope Used for Authenticating to use an App Registration API

Leonard, Jared 46 Reputation points
2022-02-25T14:45:24.067+00:00

Hi All,

I am trying to build a Postman POST request that can get a token from Microsoft Identity Platform, with said token being usable for making calls to an existing App Registration's exposed API. I am manually constructing the OAuth2 request because I'm eventually going to make an application that does it for me, so I need all of the steps outlined as HTTP/HTTPS requests. As I understand, I need to following pieces of information:

  • A token endpoint for authentication, this is copied directly from the app registration page
  • A grant_type, I am using "client_credentials" as I am provided a client_id and client_secret
  • A client ID, for this I am using the Application ID form the App Registration
  • A client secret, my Azure admin has provided this. It has a '+' in it, for which I am unsure whether URL encoding is necessary
  • A scope. When not provided the POST response body says "The provided value for scope is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI)". I am unsure whether this is the application ID of my App Registration, or the application ID for whatever API I am accessing. I assume its the ID for the App Registration, making the scope "api://my-application-id/.default"

When I send this request, I receive "Invalid client secret is provided", but I am unsure whether this is because it really is the secret that is wrong, or some other part of the request.

The following API permissions exist:

177800-image.png

And there are no exposed APIs. Here is a complete Postman request body and endpoint, with variables replacing the important details:

177922-image.png

In the app registration manifest, the following flags are set:

  • "allowPublicClient": true
  • "oauth2AllowIdTokenImplicitFlow": true
  • "oauth2AllowImplicitFlow": false
  • The client secret has "value": null

Any advice, resources, or suggestions provided are much appreciated, and keep in mind I have no idea what I'm doing, so if you see something that might be a mistake, don't assume I did it deliberately.

Thanks!

Jared Leonard

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,657 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,936 Reputation points Microsoft Employee
    2022-02-26T03:42:31.953+00:00

    Hi @Leonard, Jared ,
    Thanks for reaching out.

    I understand that you are trying to get access token to call protected API from your web application.

    First we need to understand that Microsoft identity platform supports different authentication flows for different kinds of application scenarios.

    Client Credential flow is commonly used for server-to-server interaction when your application can acquire a token to call a web API on behalf of itself.
    Client credentials flow exposes only application permissions to APIs which are granted directly to the application itself by an administrator.
    178051-image1.png

    The scope for client credential would be https://graph.microsoft.com/.default. Based on this application identifies all the permissions which has been granted.

    177950-image2.png

    You can decode the access token you received using jwt.ms and validate the permissions in the access token to access the exposed API’s resources.
    177989-image3.png

    However, Here as you are using delegated permissions to call Dynamics CRM API which need to expose by web application as signed in user. I would recommend using Authorization code flow. This flow enables apps to securely acquire an access token that can be used to access resources secured by the Microsoft identity platform.

    First request an authorize code begins with the client directing the user to the /authorize endpoint

    178037-image4.png

    After signing in, your browser should be redirected to https://localhost/myapp/ with a code in the address bar.

    Now that you've acquired an authorization_code and have been granted permission by the user, you can request for an access_token to the resource by sending a POST request to the /token endpoint with the scope https://[my domain].crm.dynamics.com/

    178038-image5.png

    The access token identifies the intended recipient of the token by audience defined in the token.

    ![177996-image6.png

    You can use the access token in requests to Dynamics 365/Dataverse API by including it in the Authorization header as bearer token.

    177997-image7.png

    Hope this will help.

    Thanks,
    Shweta

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.