The Authentication Method "OAuth2 Client Credentials Grant" in a SCIM app does not work

Question

The Authentication Method "OAuth2 Client Credentials Grant" in a SCIM app does not work

Spasova, Monika 40

We have created a SCIM app in azure that will be used to provision users from Entra to our SCIM compliant service. We would like to support the Authentication method: Oauth2 Client Credentials Grant. When we configure the SCIM app to use it we see the error on the right side of the screenshot:

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.

Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable

Details: We received this unexpected response from your application:.........
AzureClientCredentialsSupportImage

When we request the same token endpoint to get access token in postman, using absolutely the same client id and secret, we receive a token and we are successfully authorize to our SCIM compliant service and we execute successful requests. AzureSupportCaseImage2

Why does it happen in Azure?

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-12-03T14:57:43.0733333+00:00

Hi @Spasova, Monika

Thank you for reaching us!
let me research on this ask and revert back.
In the meanwhile could you please check attribute mapping Incorrect attribute mapping can also cause this error.
Spasova, Monika 40 Reputation points

2024-12-03T15:07:59.4266667+00:00

It is not because of mappings. If I switch to bearer token authentication method in Azure, and paste the token retrieved from the upper postman request, I am authorized.
Spasova, Monika 40 Reputation points

2024-12-03T15:36:52.0466667+00:00

From the logs we saw that Azure does not a request to the token endpoint at all
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-12-03T16:09:32.4966667+00:00

@Spasova, Monika

This error can occur when performing Test Connection under Admin Credentials when configuring provisioning, even if the correct secret and URL are being used. could you please try with another credentials, if the issue has persisted try to review the logs for the SCIM app to see if there are any errors or issues that may be causing the problem

2 answers

Your answer

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-12-03T14:57:43.0733333+00:00

Hi @Spasova, Monika

Thank you for reaching us!
let me research on this ask and revert back.
In the meanwhile could you please check attribute mapping Incorrect attribute mapping can also cause this error.
Spasova, Monika 40 Reputation points

2024-12-03T15:07:59.4266667+00:00

It is not because of mappings. If I switch to bearer token authentication method in Azure, and paste the token retrieved from the upper postman request, I am authorized.
Spasova, Monika 40 Reputation points

2024-12-03T15:36:52.0466667+00:00

From the logs we saw that Azure does not a request to the token endpoint at all
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-12-03T16:09:32.4966667+00:00

@Spasova, Monika

This error can occur when performing Test Connection under Admin Credentials when configuring provisioning, even if the correct secret and URL are being used. could you please try with another credentials, if the issue has persisted try to review the logs for the SCIM app to see if there are any errors or issues that may be causing the problem

Answer 1

Givary-MSFT 35,621 Microsoft Employee Moderator

@Spasova, Monika Thank you for reaching out to us, just wanted to check does your app is a gallery app ? Because in our documentation - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#how-to-setup-oauth-code-grant-flow:~:text=non%2Dgallery%20apps.-,OAuth%20authorization%20code%20grant,-Access%20tokens%20have

OAuth authorization code grant - Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth code grant on non-gallery is in our backlog, in addition to support for configurable auth / token URLs on the gallery app.

Let me know if this helps to answer your query, else feel free to post back, would be happy to check with my team or research further on this and revert back.

Spasova, Monika 40 Reputation points

2024-12-04T07:18:31.59+00:00

Use answers to provide solutions to the user's question. However, in the enterprise app we successfully use Authentication method: Oauth2 Authorization Code Grant and we don't have troubles authorising. For Oauth2 Authorization Code Grant in the document it is written that is as well a backlog item but it is working. This makes us feel that Oauth2 Client Credentials Grant might also be intact but it turns out that with this approach Azure does not send a request for getting the token to the token endpoint at all.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-04T07:42:58.9566667+00:00

@Spasova, Monika From the second screenshot, I see you are using access token url request for a token and at the same I saw one of the posts dated in Aug - https://learn.microsoft.com/en-us/answers/questions/1858521/why-dont-we-see-oauth2-authorization-code-grant-in?page=2#answers considering the scenario is same here, where you had a conversation with our PM regarding this issue.

As we have mentioned that these flows are supported for gallery apps, but not non-gallery apps.

For more visibility, let me tag our PM @Danny Zollner to share his inputs on this ask.
Spasova, Monika 40 Reputation points

2024-12-04T07:46:00.85+00:00

It is not the same, the scenario in August was for an on premise app that is different kind of app. For enterprise app Oauth2 Authorization Code Grant works.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-04T07:58:15.44+00:00

@Spasova, Monika Just check if this Stack overflow post - https://stackoverflow.com/questions/71928678/azure-active-directory-enterprise-app-openid-and-user-provisioning-scim helps else send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body:

Link to this thread/post

We can connect offline over the teams and discuss further on this.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Spasova, Monika 40 Reputation points

2024-12-05T12:24:54.85+00:00

For the moment we have decided to pause the approach with the Client Credentials. If it comes back to the agenda, I will contact you. Thank you.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-12-05T12:27:51.23+00:00

@Spasova, Monika Thanks for the update.

Answer 2

I believe that you are enabling the OAuth UI in the custom non-gallery SCIM application via a URL feature flag that is documented on an integration for a specific gallery application. If that is correct, then the cause of your issues is that this feature is not intended to be used with the non-gallery SCIM application. This feature not being supported for use with the non-gallery SCIM application means that the behavior you are seeing is the expected one - failure.

I am only aware of this being documented for use on one specific gallery application's tutorial article. If this feature flag is documented elsewhere on Microsoft's documentation platform, please let me know where and I will promptly remove it.

Share via

The Authentication Method "OAuth2 Client Credentials Grant" in a SCIM app does not work

2 answers

Your answer