typescript - Generate Token with OAuth 2.0 authorization code flow passing scopes with characters containing slash "&am

admin管理员组

文章数量:1391811

I have a scope with the following name pattern: "api://{client-id}/{name-with-slash}"

Example:

Scope name: "portal/aws"

Final scope name: "api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws"

I registered this same scope with the same name in the Azure Portal in my application.

Expose an API

API Permission

However, when I try to redirect the url to /oauth2/v2.0/authorize, I get the following message error:

• invalid_resource - AADSTS500011: The resource principal named api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal was not found in the tenant named eb42c583-b4d7-4a81-a52b-d35ff307f901. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

My code in Typescipt:

const params = [
      "client_id=" + clientId,
      "response_type=code",
      "redirect_uri=" + encodeURIComponent(`${redirectURI}/callback`),
      "response_mode=query",
      "scope=" + encodeURIComponent(scopeName), //api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws
      "state=" + state,
      "code_challenge=" + codeChallenge,
      "code_challenge_method=S256"
    ];
    
const urlSSO = `${endpointAzure}/oauth2/v2.0/authorize?${params.join("&")}`;
return urlSSO;

Using the encodeURIComponent function causes Authentication to not recognize the full scope name

I have a scope with the following name pattern: "api://{client-id}/{name-with-slash}"

Example:

Scope name: "portal/aws"

Final scope name: "api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws"

I registered this same scope with the same name in the Azure Portal in my application.

Expose an API

API Permission

However, when I try to redirect the url to /oauth2/v2.0/authorize, I get the following message error:

• invalid_resource - AADSTS500011: The resource principal named api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal was not found in the tenant named eb42c583-b4d7-4a81-a52b-d35ff307f901. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

My code in Typescipt:

const params = [
      "client_id=" + clientId,
      "response_type=code",
      "redirect_uri=" + encodeURIComponent(`${redirectURI}/callback`),
      "response_mode=query",
      "scope=" + encodeURIComponent(scopeName), //api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws
      "state=" + state,
      "code_challenge=" + codeChallenge,
      "code_challenge_method=S256"
    ];
    
const urlSSO = `${endpointAzure}/oauth2/v2.0/authorize?${params.join("&")}`;
return urlSSO;

Using the encodeURIComponent function causes Authentication to not recognize the full scope name

• typescript
• azure
• authentication
• azure-authentication

Share Improve this question Follow edited Mar 12 at 19:36 fixesMyCode asked Mar 12 at 5:18 fixesMyCodefixesMyCode 1344 bronze badges 11

• Could you please share the screenshot of your API permission blade and Expose an API blade and edit the question? – Pratik Jadhav Commented Mar 12 at 5:24
• @PratikJadhav edit question with screenshot – fixesMyCode Commented Mar 12 at 14:44
• Could you please also add the screenshot of your API permission blade? – Pratik Jadhav Commented Mar 12 at 17:15
• @PratikJadhav add screenshot API permission – fixesMyCode Commented Mar 12 at 19:36
• As shown in that API permission blade screenshot, you didn't added your Exposed API permission and also not granted admin consent – Pratik Jadhav Commented Mar 12 at 20:04

 |  Show 6 more comments

2 Answers 2

Sorted by: Reset to default 0

invalid_resource - AADSTS500011: The resource principal named api://client-id/portal was not found in the tenant named <tenant-id.>

These error message usually occurs when application is not registered in tenant which you are requesting or you didn't added and granted admin consent to the scope in API permission blade which you created in Expose an API blade.

I am getting the error while adding scope like you api://client-id>/portal/aws , The slashes and spaces are invalid character for scope name and could be the restriction, So try by avoiding slashes and spaces and Add this permission on API permission blade and Grant admin consent.

Added Application ID URI and Added a scope in Expose an Blade:

Added portal.aws scope to API permission blade:

Granted Admin Consent to portal.aws:

Using delegated type, authorization_code flow which requires user-interaction.

Ensure to provide the same tenant-id where you application is registered.

To get code, I ran below authorization request in browser:

https://login.microsoftonline/<tenant_id>/oauth2/v2.0/authorize?  
client_id=<client_id>
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
scope: api://<client-id>/portal.aws
&state=12345

After successfully creating authorization_code, Generated access token using below parameters:

GET https://login.microsoftonline/<tenant-id>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id: <application-id>
client_secret: <client-secret>
scope: api://<client-id>/portal.aws
grant_type: authorization_code
code: <authorization_code generated from browser>
redirect_uri: <REDIRECT_URI 

References:

Configure an application to Expose an Web API

Here are some suggestions you can check. The exposed API

api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws is different from what I can see on the error message api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal.

Make sure you are exposing a correct address.

If you use encodeURIComponent() on the entire scope, the slashes (/) will be encoded, which may cause Azure to misinterpret the scope. you can try it like :

"scope=" + encodeURIComponent("api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws")

or just hard code it for testing, like:

"scope=api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws"

In your error message, stated tenant mismach.

• Make sure the correct tenant ID is used in the authentication request.

• If your app is multi-tenant, ensure that it is properly set up for external tenants.

• The tenant ID should be correct in your Azure endpoint: https://login.microsoftonline/{tenant_id}/oauth2/v2.0/authorize.

Also, make sure that the API permission is consented for users. If not, try granting Admin Consent in Azure Portal under API Permissions.

Plus, When requesting a token, ensure that you are requesting Delegated Permissions under API Permissions and that they match what is configured under Expose an API.

Verify that the scope is set under Expose an API. Make sure the Client ID matches the registered application. Check if the Application ID URI (api://{client-id}) is correctly set in Expose an API.

You can also log your scope before redirecting and make sure the scope is set correctly: console.log("Requested Scope: ", scopeName);.

If still you couldn't spot the issue, please provide more information.

Good luck.

本文标签：