Is there a way to request an OAuth2 accee token (client credentials) that does not require a Resource in the request?

Morman, Scott 1 Reputation point
2021-08-03T20:53:30.353+00:00

I am working on a proof of concept where I need to request an AAD OAuth2 access token using Client Credentials flow so that I can securely send a message to an Azure Event Hub. The only way I have been able to get this use case to work is by:

  1. Registering my App via App. Registration.
  2. Assigning the Azure Event Hub Send role to the application
  3. Upon making the OAuth2 request for an access token, I have to supply the Resource as a part of the request such that the access token contains the proper claims.

This all works fine, however, the problem that I am running into is that I am using does not have support to specify the Resource in the OAuth2 access token request. That means that the token I get receive from AAD does not have the proper claims and I end up getting the following response from Azure Event Hubs when I attempt to use the access token to send a message to the event hub.

120258-aeh-responsepng.png

I can reproduce the error in Postman by not supplying the Resource in the AAD OAuth2 request.

I am wondering if there is another way to create a proper access token that Azure Event Hubs will accept and does not require any other information other that the client_id and client_secret. Or perhaps another way that I can configure the registered app. such that a role assignment is not necessary or does not require the Resource to be supplied in the OAuth2 request.

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
646 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,816 Reputation points Microsoft Employee
    2021-08-04T23:25:35.357+00:00

    Hi @Morman, Scott ,

    Thanks for using Microsoft Q&A !!
    No, you cannot get a token without specifying either resource or scope parameters as it is required by OAuth to return a valid token for which you want to use the token. If you are using V1 endpoint https://login.microsoftonline.com/<tenant>/oauth2/token then you need to provide resource and when using v2 endpoint https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token then you need to provide a scope. Please refer to the Microsoft identity platform and the OAuth 2.0 client credentials flow for details.
    Is there any specific reason you do not want to pass the resource parameter ? Also, what value you are passing as a resource parameter ?

    Please pass https://eventhubs.azure.net/ as resource (refer to Authorize access to Event Hubs resources using Azure Active Directory )
    120596-image.png

    Please use https://eventhubs.azure.net/.default when using scope. (screenshot below)
    120595-image.png

    Please refer to Get an Azure Active Directory (Azure AD) token and use it send events to an event hub for detailed steps.

    Thanks
    Saurabh


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.