question

60134842 avatar image
0 Votes"
60134842 asked 60134842 commented

oauth 2.0 authorization

I am using the graph api to call the teams Api.
And before I call the api I wanna get the access token by restful API then
I followed the guidance
https://docs.microsoft.com/zh-cn/graph/auth-v2-user

to build an application on azure portal and want to login by oauth2.0
First I called the api below to get the code

https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/authorize?
client_id=XXXXXXXXX
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=offline_access%20user.read%20mail.read%20Directory.ReadWrite.All%20Group.ReadWrite.All%20ChannelMessage.Read.All
&state=12345
After the code is returned by the redirect uri which I set on the conf,
I called the token api to get the login token.
https://login.microsoftonline.com/XXXXXX/oauth2/v2.0/token

But it always showed
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '0e1f447e-e88b-454c-9eab-05464f01de21' named 'multi-platform-sns-dev'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 6b05624a-d852-4aa5-b4d6-6babadf02900\r\nCorrelation ID: 75f0d769-9b21-4148-95b3-2f640d86771e\r\nTimestamp: 2022-05-13 06:12:23Z",
"error_codes": [
65001
],
"timestamp": "2022-05-13 06:12:23Z",
"trace_id": "6b05624a-d852-4aa5-b4d6-6babadf02900",
"correlation_id": "75f0d769-9b21-4148-95b3-2f640d86771e",
"suberror": "consent_required"
}

microsoft-graph-teamworkazure-ad-authenticationmicrosoft-graph-applications
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @60134842,

Did you provide grant_type=authorization_code in Body while calling the token api?

0 Votes 0 ·
CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered CarlZhao-MSFT commented

Hi @60134842

You must use the decoded permission in scope when requesting the token.

 offline_access user.read mail.read Directory.ReadWrite.All Group.ReadWrite.All ChannelMessage.Read.All

201782-image.png


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (7.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @60134842

Is there anything else I can help with regarding this issue?

You can comment us at any time and we will continue to follow up.

Thanks,
Carl Zhao

0 Votes 0 ·
ShivaniRai-MSFT-7217 avatar image
0 Votes"
ShivaniRai-MSFT-7217 answered 60134842 commented

Hi @60134842,

As per my test this error means that the requested scope (resource) can’t be accessed by you (login user) because of the lack of permissions. So, to fix that, you need to grant these required permissions to access that resource.

You need to add these delegated permissions in Azure portal and grant admin consent to all these scope offline_access user.read mail.read Directory.ReadWrite.All Group.ReadWrite.All ChannelMessage.Read.All in Azure portal. Refer below example screenshot from Azure portal:
201804-image.png

Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.


image.png (56.7 KiB)
image.png (55.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the replay.
I tried the solution which @CarlZhao-MSFT gave and succeeded to get the token.

1 Vote 1 ·