0

This question is related to this other post: how to get 'code' for getting access_token when using Azure AD Graph API. Let me open a new thread as I cannot write a comment. I will try to explain my problem as best as possible:

Context

My app is a web server written in Django with several REST APIs used by the frontend. I had an API for the users to register, which used to use Microsoft login api perfectly. Everything was fine until we found out some clients had MFA and we could not use the api anymore.

Possible solution

I followed the instructions in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow for getting the token, and I can do it correctly manually. That is:

Step 1: I write this url on the browser and login 

// Line breaks for legibility only
"https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
client_id=<client_id>
&response_type=code
&redirect_uri=<redirect_uri>
&response_mode=query
&scope=https://graph.microsoft.com/.default"

Step 2: The response I get in the browser address bar contains the code. I extract it manually, using the console.

<redirect_uri>/?code=?code=<authorization_code>&session_state=<session_state>

Step 3: With this code I can ask for a token to the api: 

// Line breaks for legibility only

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=<client_id>
&scope=https://graph.microsoft.com/.default
&code=<authorization_code>
&redirect_uri=<redirect_url>
&grant_type=authorization_code
&client_secret=<client_secret>

Problem

Ok, so far, everything works fine, the problem is that I have to get the code in step 2 manually and I want to include it in my Django code. What can I do?

Thank you!

chococroqueta
  • 694
  • 1
  • 6
  • 18
  • In that case you have to implement other auth flow. – Md Farid Uddin Kiron May 28 '20 at 12:03
  • Do you know which one could I use? I need to be Ouath2 + MFA – chococroqueta May 28 '20 at 13:01
  • Sure, you can go with [`client_credentials`](https://stackoverflow.com/questions/60771696/azure-app-oauth2-generating-wrong-access-token-in-client-credentials-grant-type/60773200#60773200) auth protocol. Let me know if you need anymore assistance. For more please [have a look](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) – Md Farid Uddin Kiron May 28 '20 at 13:59
  • Thank you very much, but that is the protocol I was using in the beginning and it is not working with multi factor authentication enabled ("AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access"). Anyway, I think I found a solution, using standard Django login and social + oauth2 plugin through graph interface. It is not ideal because we'll need to embed a browser in the frontend, but I hope it works. – chococroqueta May 29 '20 at 07:30
  • Good to hear that you got the way. – Md Farid Uddin Kiron May 29 '20 at 07:33
  • Sorry, I read the post in greater detail and it's not the protocol I thought (user_credentials). I also tried the client credentials protocol once, but the token obtained does not give information about the user, which is important for our application since we need to know who is logged. – chococroqueta May 29 '20 at 07:45
  • Please have look [this thread](https://stackoverflow.com/questions/51412507/implementing-openidconnectoptions-events-when-using-authentication-azuread-ui-li/51618999#51618999) if that is helpful – Md Farid Uddin Kiron May 29 '20 at 08:17

0 Answers0