I am able to use the computing api. storage api, resource manager api
but when I am trying to get the list of all locations available, I am getting strange authentication exception
to get the list of locations I am sending Get request
https://management.core.windows.net/xxx/locations
ForbiddenErrorThe server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
is there a need for special authentication?
I found that Azure published REST api for the Resource Manager authentication method
https://msdn.microsoft.com/en-us/library/azure/dn790540.aspx
Related
I am trying to access a SP site outside of my tenant using a guest account provided by the third-part company.
According to them, the access is given using Azure B2B (ExternalAzureAD).
I want to access the SP site using Power Automate to copy files to my tenant. It is a specific list, but not specific files.
I tried performing common HTTP SP Rest requests (the connector using the guest account) and HTTP using AAD, but I keep having "401 UNAUTHORIZED" as a response.
Any ideas on how to perform this call? I have very little room for requests with the third-part company, and a request to register an application user to generate a token for me is almost certain to be denied.
What could I try here?
Thanks!
A connect API client is created using AGC Console Connect API option. When creating the client, a project is selected as well to limit the scope of access. Credentials are created without problem.
Obtained access token by using POST to this AGC URL, then passed the token to publishing API, Connect API server returned 403 error code when using GET method to query the API. Checking the document, there is mention of setting the project to N/A to avoid the error.
My question is why the project could not be set here?
Connect API is team-level access. It is valid for all projects under the account ID which created the connect API client. To use connect API, a project should always be set to N/A.
The project would be specified when server SDK is used in a project.
The value of project must be set to N/A because the Connect API requires some account-level permissions. If an application is restricted, the permissions cannot be obtained. Therefore, you cannot set a specific application.
Recently,I needed to access HUAWEI AppGallery Connect API
and create a product through the PMS API (server API). However, when Postman
was used for basic service interconnection tests,
the error message "403 client token authorization fail" was displayed.
how can i fix it?
Based on the error code included in your screen captures, the error was caused by an authentication failure.
To solve the problem, you first need to confirm that the client ID used for applying for the token has sufficient permission.
HMS official document suggested that the project associated with the API client be selected as N/A. You need to create an API client and associate it with a project. E.g. An app ID in the project was 100xxx591. However, the app ID in the Postman service request was 101xxx531, which would cause the authentication failure.
Also, to fix the above, you need to create an API client and selected N/A (indicating that all projects are supported), and use the client to request a token. The process should work well after this.
In general, if Huawei's 403 authentication failure occurs, you can verify the permission first, and then check the associated projects.
For more details about the PMS API, please refer to this link.
I wish to obtain an access token without user interaction in order to automate REST API calls to Azure services (Compute, Network, etc.). In the documentation, several authentication scenarios are listed. The one that fits my use-case the most is "Daemon or Server Application to Web API".
I followed the instructions to request an access token : first I registered an App in my Azure Active Directory. Then I created a key (client_secret parameter) associated to the application ID (client_id parameter). I also obtained the App ID URI (resource parameter). I used all these parameters to create a POST request to the /token endpoint of my Azure AD. However I get the following error message:
{
"code":"InvalidAuthenticationTokenAudience",
"message":"The access token has been obtained from wrong audience or resource 'https://solutionsmosaixsoft.onmicrosoft.com/<APP_ID_URI>'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'."
}
What am I doing wrong? Am I setting the resource parameter to the wrong value?
The resource parameter tells your application where to get token(identifier of the resource for which the access token is being requested). If you want to get a token to call Azure Service Management API , you could set the resource as https://management.core.windows.net/ .
Edit:
If the APIs you want to call are Microsoft provided APIs , the resource is known ,for example :
Azure Service Management API:https://management.core.windows.net/
Microsoft Graph API :https://graph.microsoft.com/
If you want to call the API apps which your created , you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal).
You could refer to below link for code samples :
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples
You need to make a POST request to the token endpoint.
The resource parameter must be the resource URI for the API that you want to access, not yours.
Azure AD Graph API: https://graph.windows.net/
Microsoft Graph API: https://graph.microsoft.com/
Wanted to make rest calls, i found there are two ways of authentication.
Method 1. Upload a self-signed ssl certificate and authenticate through certificate and subscription id.
Method 2. Use access token (Bearer ey...) which is obtained from making oauth2 call.
Which method is best way to do?
You should go with Method 2 for many reasons:
Method 1 is the old way and will only work with authenticating Service Management API requests where as Method 2 is the new way and will work with authenticating both Service Management API and Azure Resource Manager API requests.
Azure is moving away from Service Management API and is moving towards Resource Manager API which only supports Method 2. In fact, wherever possible use Resource Manager API instead of Service Management API. Only use Service Management API when there's no Resource Manager API equivalent.