Understanding Azure AD’s On-Behalf-Of flow (aka OBO flow)

Background Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow). This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. The OBO flow is used in the following scenario. Both Web API 1 and Web API 2 are protected by Azure AD. A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into…

Read More

VB.NET – Use MSAL.Net in a Console Application to Authenticate to Azure

At one point in recent history, VB.Net was one of the most popular development languages around. In fact, there are many legacy applications written in VB.Net and even still, VB.Net is still in the top 10 languages ( source: https://www.techworm.net/2018/02/popular-programming-languages-2018-according-tiobe-pypl.html ).  I will show a simple console application using VB.Net to authenticate using MSAL.Net Of course, the first step, as in everything Azure, starts with setting up an app registration…

Read More

Implementing Service to Service Authorization and Getting the Access Token with Postman Utilizing Client Credential Grant Type

Introduction This article is meant to show how one can set up a client application to obtain a service to service access token, to get access to a web API from a web App. This document will be following the grant type client credential flow to do this, and will utilize Postman to get the access token via client credentials. This tutorial will not set up the backend web API,…

Read More

Using PostMan to request an Azure AD token via SAML Assertion Grant flow

Azure Active Directory (Azure AD) supports an OAuth2 Extension Grant called “SAML Bearer Assertion flow” which allows an application to request an JWT OAuth2 token from Azure AD by providing a SAML Assertion (Token) acquired during an authentication process to a different Authorization Server. As you can imagine in order for this token exchange mechanism to happen, a trust relation between Azure AD and that Authorization Server must have already…

Read More

Receiving error IDX21323 or DX10311 RequireNonce…

Depending on what version of OWIN is used, you may see the following error in an MVC application using OpenID Connect middleware IDX21323: RequireNonce is ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is…

Read More

Using jwt.io to verify the signature of a JWT token

Introduction In an asymmetric algorithm, a JWT token is signed with an Identity Provider’s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at https://jwt.io/ to verify the signature of an signed Azure AD token (either access or id token). Note: You should only validate the token intended for your own…

Read More

Receiving AADSTS90094: The grant requires admin permission.

Introduction This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission. Typically this error is received when trying to get access to an AAD application registration. Please note that there are two different Microsoft application portals: https://portal.azure.com  (v1 application portal) and the https://myapps.microsoft.com (v2 application portal). For details on the different application models, please visit the following link: What’s different about the…

Read More

Query String is not allowed in redirect_uri for Azure AD

Problem: See update at the end.  This is no longer an issue. Customer configures the following redirect URLs for his registered application in Azure AD and issues the following request to authenticate to Azure AD: GET https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=<app id>&redirect_uri=https%3a%2f%2flocalhost%3a44396%2fbac%2faad%3freqId%3dA123&response_mode=form_post&…. After logging in he is redirected to https://localhost:44396/bac/aad instead of https://localhost:44396/bac/aad?reqId=A123. The redirected URL does not have anything after the query string. Root Cause: The behavior is by design.  This is…

Read More

Granting Tenant Admin Consent for Microsoft Graph Explorer

Introduction This post is meant for users who are trying to utilize the Microsoft Graph Explorer but are getting an error regarding admin consent. This error is described in the picture below :   Giving Consent for All Users for Microsoft Graph Explorer This error is occurring because the user trying to use the graph explorer is trying to utilize a v2 permission that requires admin consent. The permissions/scopes regarding…

Read More

Receiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’

Problem: An application receives the following error when authenticating to Azure Active Directory: {     “error”: “invalid_client”,      “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”,     “error_codes”: [7000218],     …} What does this error mean? The error is what it said.  When authenticating to Azure AD to get an access token, the client application is not providing…

Read More