Receiving 401 error code when trying to access Blockchain workbench api

alex man 1

Receiving 401 error code when trying to access Blockchain workbench api but when I use same token to access graph api , it functions properly.

alex man 1 Reputation point

2020-07-12T03:11:55.2+00:00

I have used 'passport-azure-ad' to generate token with callback http://localhost:3000/auth/callback

OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
OAUTH_SCOPES='profile user.read offline_access calendars.read'
OAUTH_AUTHORITY=https://login.microsoftonline.com/common/
OAUTH_ID_METADATA=v2.0/.well-known/openid-configuration
OAUTH_AUTHORIZE_ENDPOINT=oauth2/v2.0/authorize
OAUTH_TOKEN_ENDPOINT=oauth2/v2.0/token
alex man 1 Reputation point

2020-07-12T10:25:54.553+00:00

I used same token to access graph api /me endpoint, it works well
AshokPeddakotla-MSFT 34,861 Reputation points

2020-07-13T11:40:48.13+00:00

@alex man Apologies for the delay and inconvenience caused in this regard. We are looking into this issue and update you as earliest.
alex man 1 Reputation point

2020-07-13T21:14:03.537+00:00

Thank you.
alex man 1 Reputation point

2020-07-13T23:01:45.997+00:00

redirect URI
https://imgur.com/a/XypL0Q2

Api permissions
https://imgur.com/a/Gwi4wbp
alex man 1 Reputation point

2020-07-14T02:06:16.407+00:00

Where did I go wrong
AshokPeddakotla-MSFT 34,861 Reputation points

2020-07-16T12:46:20.363+00:00

@alexman-8196 We are still looking into this issue. We will update once we hear from the respective team. Thanks for your time and patience.

2 answers

Aishik Pyne 6 Reputation points

2020-07-20T10:19:41.373+00:00
Hi @alexman-8196

To understand your problem in detail I have a few questions

What is the intention of authentication? Are you trying to use the workbench API directly without the UI?

How are you obtaining the token? Against a user who is a part of the AAD or a SPN?

Just of debugging can you open the workbench UI, go to the networks tab, open an XHR request to the API web app and copy the authorization token from the header and use it in your application? This would help us understand if the issue as to why your token is giving a 401 error?
Please sign in to rate this answer.
alex man 1 Reputation point

2020-07-20T22:19:17.693+00:00

Yes without the UI , I'm trying to access the workbench api
Obtaining the token for user who is part of AAD

Yes, it functions properly when I utilize the token from header in the networks tab

Aishik Pyne 6 Reputation points

2020-07-21T12:11:17.78+00:00

So this clears out that the API is functioning well.

Now the issue which you are facing is the token you are generating the token from AAD, is not the same as generating the token from the API.
The API has its own JWT issuing service which internal authenticates the user with the AAD hence the token you are getting from AAD is not valid for the API.

You should try to do an oauth login to the API and get the token. The flow of your authentication would be very close to what the UI does:

Trigger login --> go to Microsoft login page --> redirects to API --> API issues you a JWT
You then use this JWT to communicate with the API

alex man 1 Reputation point

2020-07-21T19:30:03.59+00:00

I have followed the method you have mentioned, I have used the documentation below,
https://learn.microsoft.com/en-us/graph/tutorials/node?tutorial-step=3

alex man 1 Reputation point

2020-07-22T08:33:01.1+00:00

redirect URI
https://imgur.com/a/XypL0Q2

Api permissions
https://imgur.com/a/Gwi4wbp

alex man 1 Reputation point

2020-07-22T08:33:33.203+00:00

I have used 'passport-azure-ad' to generate token with callback http://localhost:3000/auth/callback

OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
OAUTH_SCOPES='profile user.read offline_access calendars.read'
OAUTH_AUTHORITY=https://login.microsoftonline.com/common/
OAUTH_ID_METADATA=v2.0/.well-known/openid-configuration
OAUTH_AUTHORIZE_ENDPOINT=oauth2/v2.0/authorize
OAUTH_TOKEN_ENDPOINT=oauth2/v2.0/token

alex man 1 Reputation point

2020-07-22T20:49:17.187+00:00

Could you please resolve this issue a little quickly?

alex man 1 Reputation point

2020-07-22T20:49:45.6+00:00

Where did I go wrong?

Aishik Pyne 6 Reputation points

2020-07-22T21:02:07.497+00:00

Sorry for the delays in my response even I am facing trouble understanding the issue and it is going wrong.

I think what can be going wrong is you are calling AAD and it's redirecting back to you but in this process no where is the link to your API instance being mentioned. So the API doesn't have the context of your session. Where are you mentioning the reference to the API in your process?

Aishik Pyne 6 Reputation points

2020-07-22T21:07:28.567+00:00

Are you mentioning the enterprise app client id anywhere in the passport setup?

Aishik Pyne 6 Reputation points

2020-07-22T21:15:32.597+00:00

As a debugging step go over to https://jwt.io/
Decode the token you are generating
Check in the Payload Data -> Is "aud" value same as the application id of your Enterprise App in your AAD?

alex man 1 Reputation point

2020-07-27T05:50:33.127+00:00

The aud value isn't sames asthe app id (client id)
Payload contains another field named appid (this is equal to the registered appid).
I have configured OAUTH_APP_ID and OAUTH_APP_PASSWORD as well
passport.use(new OIDCStrategy(
{
identityMetadata: ${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA},
clientID: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
},

alex man 1 Reputation point

2020-07-27T05:51:03.813+00:00

he aud value isn't sames asthe app id (client id)
Payload contains another field named appid (this is equal to the registered appid).
I have configured OAUTH_APP_ID and OAUTH_APP_PASSWORD as well
passport.use(new OIDCStrategy(
{
identityMetadata: ${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA},
clientID: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
},

alex man 1 Reputation point

2020-07-27T05:59:23.363+00:00

The aud value isn't same as the app id (client id)
Payload contains another field named appid (this is equal to the registered appid).
I have configured OAUTH_APP_ID and OAUTH_APP_PASSWORD as well
passport.use(new OIDCStrategy(
{
identityMetadata: ${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA},
clientID: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
},
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
alex man 1 Reputation point

2020-07-29T01:36:06.163+00:00

I have configured the following, but aud value is not equal to app value

passport.use(new OIDCStrategy(
{
identityMetadata: 'https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration',
clientID: process.env.OAUTH_APP_ID,
audience: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
}

But aud field is 00000003-0000-0000-c000-000000000000 (not equal to app id)

payload contains iss: "https://sts.windows.net/tentantId/"

On sigin activity page,

Resource
Microsoft Graph

Resource ID
00000003-0000-0000-c000-000000000000

Token issuer type
Azure AD

Token issuer name
null
Please sign in to rate this answer.
alex man 1 Reputation point

2020-07-27T04:17:59.087+00:00

The aud value is different from app id (client id)
The payload had other field which states app id ( this one is same as the registered app id)

I have configured, OAUTH_APP_ID and OAUTH_APP_PASSWORD for passport authentication
passport.use(new OIDCStrategy(
{
identityMetadata: ${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA},
clientID: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
},

alex man 1 Reputation point

2020-07-27T05:49:45.867+00:00

The aud value isn't sames asthe app id (client id)
Payload contains another field named appid (this is equal to the registered appid).
I have configured OAUTH_APP_ID and OAUTH_APP_PASSWORD as well
passport.use(new OIDCStrategy(
{
identityMetadata: ${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA},
clientID: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
},

alex man 1 Reputation point

2020-07-27T20:48:20.427+00:00

But the activity sigin logs display status is success

alex man 1 Reputation point

2020-07-28T07:26:12.34+00:00

Any update on the issue?

Aishik Pyne 6 Reputation points

2020-07-28T10:49:15.717+00:00

According to the docs here I'm seeing you are using the common endpoint v1 as authority
Can you try to use v2 tenant-specific endpoint?

Authority = "https://login.microsoftonline.com/" + <AAD_TENANT_DOMAIN_NAME> + "/";
Audience = <AAD_APP_ID>;

Even though your sign in is successful it won't work right out of the box unless you request a token against the exact app in your AAD which workbench has created
The token you get after doing that should have audience value same as the client id

alex man 1 Reputation point

2020-07-29T01:36:31.533+00:00

I have configured the following, but aud value is not equal to app value

passport.use(new OIDCStrategy(
{
identityMetadata: 'https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration',
clientID: process.env.OAUTH_APP_ID,
audience: process.env.OAUTH_APP_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.OAUTH_REDIRECT_URI,
allowHttpForRedirectUrl: true,
clientSecret: process.env.OAUTH_APP_PASSWORD,
validateIssuer: false,
passReqToCallback: false,
scope: process.env.OAUTH_SCOPES.split(' ')
}

But aud field is 00000003-0000-0000-c000-000000000000 (not equal to app id)

payload contains iss: "https://sts.windows.net/tentantId/"

On sigin activity page,

Resource
Microsoft Graph

Resource ID
00000003-0000-0000-c000-000000000000

Token issuer type
Azure AD

Token issuer name
null

Aishik Pyne 6 Reputation points

2020-07-30T00:45:10.69+00:00

Can you try chaning your
responseType: 'code id_token',
to either id_token or code and not both? (Recommend that you go with id_token)

These are two different types of authentication protocols actually.

If you have not checked already, you might want to check this doc for more reference

alex man 1 Reputation point

2020-07-30T01:19:30.623+00:00

While setting response type to id token , output is GraphError {
statusCode: -1,
code: null,
message: null,
requestId: null,
date: 2020-07-30T01:06:30.748Z,
body: null
}
used only code then the payload contains aud with value 00000003-0000-0000-c000-000000000000

But console.log(graph.getuserdetails()) prints aud equal to app id

alex man 1 Reputation point

2020-07-30T06:02:17.553+00:00

Where did it go wrong?

alex man 1 Reputation point

2020-07-31T04:52:41.93+00:00

Could tell me whether the scope could be problem

Then what should I set the scope

Aishik Pyne 6 Reputation points

2020-08-02T19:32:41.19+00:00

You should set the scope as per this. You can find the app registration in your own AAD which the workbench has created on behalf of you.
The name of the AAD app will be Azure Blockchain Workbench <deployment-name>

AshokPeddakotla-MSFT 34,861 Reputation points

2020-08-05T05:24:31.407+00:00

@alex man Did you get a chance to see the above response? Do let us know if that helps and you have any further queries.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Receiving 401 error code when trying to access Blockchain workbench api

2 answers

Your answer