Authentication Failed while using Azure AD Bearer Token, to return list of containers [Azure Blob] [Azure AD OAuth 2.0] [REST API]

I have successfully tried performing authentication using the Shared key and then make REST calls to Azure Blob. Now I am trying to Authenticate using AzureAD OAuth 2.0, to receive a Bearer token and pass that for Authentication to make REST calls. I am successfully getting the Bearer token but unable to perform authentication.

Here’s the code:

const request = require("request");
require("dotenv").config();

const account = process.env.ACCOUNT_NAME || "";
const key = process.env.ACCOUNT_KEY || "";
const tenantId = process.env.AZURE_TENANT_ID || "";
const clientId = process.env.AZURE_CLIENT_ID || "";
const clientSecret = process.env.AZURE_CLIENT_SECRET || "";

const options = {
  url: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
  formData: {
    grant_type: "client_credentials",
    client_id: clientId,
    scope: "https://graph.microsoft.com/.default",
    // scope:"http://storage.azure.com/.default",
    client_secret: clientSecret,
  },
  headers: {
    "Content-Type": `application/x-www-form-urlencoded`,
  },
};

var strTime = new Date().toUTCString();

function callback(error, response, body) {
  const options = {
    url: `https://${account}.blob.core.windows.net/?comp=list`,

    headers: {
      Authorization: `Bearer ${JSON.parse(response.body).access_token}`,
      "x-ms-date": strTime,
      "x-ms-version": "2019-02-02",
    },
  };

  request(options, function (error, response, body) {
    console.log("Response is: ", response.statusCode, response.statusMessage);
  });
}

request(options, callback);

It shows Auth failed when I try to run it.

 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

ScreenShot of Output

Here are some links for Reference: Service-Service calls using client credentials, OAuth 2.0 client credentials flow

EDIT: The scope was tried for both the links, options url updated from https://login.microsoftonline.com/${tenantId}/oauth2/token to https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token

Screenshot of Access Control. SS of Access Control(IAM)

But still, the same error persists.

Answer

Try to change the scope with https://${account}.blob.core.windows.net/.default or https://storage.azure.com/.default.

Notes:

  1. scope is supported in “v2.0”. If you use v1.0, scope needs to be replaced with resource, code looks like resource: "https://${account}.blob.core.windows.net/".

  2. When using formData, you must set “multipart/form-data”.

  3. Navigate to Azure storage -> Access control(IAM) -> Add role assignment to add a service principal to your storage account

enter image description here

Code:

const request = require("request");
require("dotenv").config();
const axios = require('axios');
const qs = require('qs');

const account = "";
const key = "";
const tenantId = "";
const clientId = "";
const clientSecret = "";

const postData = {
  client_id: clientId,
  scope: `https://${account}.blob.core.windows.net/.default`,
  client_secret: clientSecret,
  grant_type: 'client_credentials'
};

axios.defaults.headers.post['Content-Type'] =
  'application/x-www-form-urlencoded';

let token = '';

axios.post(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`, qs.stringify(postData))
  .then(response => {
    console.log(response.data);
    token = response.data.access_token;
  })
  .catch(error => {
    console.log(error);
  });

Leave a Reply

Your email address will not be published. Required fields are marked *