401 Unauthorized making REST Call to Azure API App using Bearer token

Question

I created 2 applications in my Azure directory, 1 for my API Server and one for my API client. I am using the Python ADAL Library and can successfully obtain a token using the following code:

tenant_id = "abc123-abc123-abc123"
context = adal.AuthenticationContext('https://login.microsoftonline.com/' + tenant_id)
token = context.acquire_token_with_username_password(
        'https://myapiserver.azurewebsites.net/',
        'myuser',
        'mypassword',
        'my_apiclient_client_id'
        )

I then try to send a request to my API app using the following method but keep getting 'unauthorized':

at = token['accessToken']
id_token = "Bearer {0}".format(at)
response = requests.get('https://myapiserver.azurewebsites.net/', headers={"Authorization": id_token})

I am able to successfully login using myuser/mypass from the loginurl. I have also given the client app access to the server app in Azure AD.

Answer 1

Although the question was posted a long time ago, I'll try to provide an answer. I stumbled across the question because we had the exact same problem here. We could successfully obtain a token with the adal library but then we were not able to access the resource I obtained the token for.

To make things worse, we sat up a simple console app in .Net, used the exact same parameters, and it was working. We could also copy the token obtained through the .Net app and use it in our Python request and it worked (this one is kind of obvious, but made us confident that the problem was not related to how I assemble the request).

The source of the problem was in the end in the oauth2_client of the adal python package. When I compared the actual HTTP requests sent by the .Net and the python app, a subtle difference was that the python app sent a POST request explicitly asking for api-version=1.0 .

POST https://login.microsoftonline.com/common//oauth2/token?api-version=1.0 

Once I changed the following line in oauth2_client.py in the adal library, I could access my resource.

Changed

return urlparse('{}?{}'.format(self._token_endpoint, urlencode(parameters)))

in the method _create_token_url , to

return urlparse(self._token_endpoint)

We are working on a pull request to patch the library in github.

Answer 2

For the current release of Azure Python SDK, it support authentication with a service principal. It does not support authentication using an ADAL library yet. Maybe it will in future releases.

See https://azure-sdk-for-python.readthedocs.io/en/latest/resourcemanagement.html#authentication for details.

See also Azure Active Directory Authentication Libraries for the platforms ADAL is available on.

Answer 3

@Derek, Could you set your Issue URL on Azure Portal? If I set the wrong Issue URL, I could get the same error with you. It seems that your code is right.

Base on my experience, you need add your application into Azure AD and get a client ID.(I am sure you have done this.) And then you can get the tenant ID and input into Issue URL textbox on Azure portal.

NOTE:

On old portal(manage.windowsazure.com),in the bottom command bar, click View Endpoints, and then copy the Federation Metadata Document URL and download that document or navigate to it in a browser. Within the root EntityDescriptor element, there should be an entityID attribute of the form https://sts.windows.net/ followed by a GUID specific to your tenant (called a "tenant ID"). Copy this value - it will serve as your Issuer URL. You will configure your application to use this later.

My demo is as following:

import adal
import requests

TenantURL='https://login.microsoftonline.com/*******'
context = adal.AuthenticationContext(TenantURL)
RESOURCE = 'http://wi****.azurewebsites.net'
ClientID='****'
ClientSect='7****'
token_response = context.acquire_token_with_client_credentials(
    RESOURCE,
    ClientID,
    ClientSect
)
access_token = token_response.get('accessToken')
print(access_token)
id_token = "Bearer {0}".format(access_token)
response = requests.get(RESOURCE, headers={"Authorization": id_token})
print(response)

Please try to modified it. Any updates, please let me know.