Partilhar via


Using Postman to call the Microsoft Graph API using Authorization Code Flow

Introduction

This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and finding the correct permissions for every Microsoft Graph Calls while still maintaining the consistency of setting up for the entire Microsoft Graph Call from start to finish.

 

Setting Up the AAD Application

The first step to getting access to the Microsoft Graph REST API is to setup an AAD Application Registration.

First we are going to want to create the AAD Application registrations in the portal. For this we will need to configure the application to be able to work with Postman so that we can make the call to the Microsoft Graph API. First we go to the Azure Active Directory Blade, go to App Registrations, and then create a new application registration.

2018-03-31 19_16_00-Create - Microsoft Azure - Internet Explorer

From there we are going to want to create a web app with any name. Here I have set the name as web app and then we want to set the callback url to : https://www.getpostman.com/oauth2/callback and set the application type to web app/ API.

Note: that you can set whatever URLs you would like

 

image

You will have to click out of the sign-on URL to make it check whether or not if it’s correct.

After that we have created our web app, we will want to create a secret. Please keep track of the secret as you won’t be able to see the secret again. You will have to press save in order for the secret to generate.

image

With this information in hand, we will be able to move forward and connect to this AAD registration. But without the correct permissions we won’t be able to get an access token to make calls to the Microsoft Graph API.

 

Finding Which Permissions We Need for a Microsoft Graph Call Using Authorization Code Flow

Assuming we would like to have granular control on what the AAD Application registration has access to and what it doesn’t have access to. We are going to want to make sure that the AAD Application registration only has the permissions it needs to make the Microsoft Graph API calls that we are wanting to make.

There has been a separate blog post on finding the correct permissions for your graph API call listed below :

https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/

 

For this Authorization Code flow, we will want to set the required permission for Read all users' full profiles under Delegated Permissions. You can utilize the Application Permission as well, however you won’t get the permissions based on the user logging in, instead you will receive the permission on behalf of the Application.

 

 

 

Retrieving an Access token Using Authorization Code Grant Type Flow

When using the Authorization Code flow to get the access token, the preview feature of postman when requesting for an HTML page doesn’t properly load the HTML page. In addition to that I’m not sure if the preview feature would even properly add the cookies to Postman, so you won’t be able to make requests to the authorization endpoint and get the authorization code back and send that to the token endpoint.

 

However, Postman does include a way to get an Access token via OAuth2’s Authorization Code Grant type by going to the authorization tab in Postman and then requesting a new access token.

 

After opening up Postman click on the authorization tab shown in the picture below. After that, click on the highlighted drop down menu.

 

image

 

After clicking on the menu, we will want to click on OAuth 2.0

 

image

 

This will now change the User Interface and there will be a “Get a New Access Token” button on the right side now. Click on the button on the right side and that will open a new pop up section.

 

image

 

You will now be able to choose your grant type, this article is meant to follow the grant type authorization code.

 

The callback URL will be your first reply URL for your AAD Application Registration, I have set mine to orange.com.

The Auth URL will be the auth endpoint for the tenant that your AAD Application Registration is in. You can find this in the picture below in your AAD App Registration blade.

Note that you will need to add the resource you are asking access to as a query parameter in your auth url. For example: https://login.microsoftonline.com/8839a17c-5ebf-496f-858e-0bd6c3038589/oauth2/authorize?resource=https://graph.microsoft.com This auth url is asking for authorization to get access to the Microsoft Graph.

image

 

The Access token URL is highlighted in the picture above, the OAuth 2.0 token endpoint URL.

The client ID is the application ID/Client ID for your AAD Application Registration. This is found when you first enter the blade for your AAD Application.

The client secret can be found by following the directions described here : https://blogs.msdn.microsoft.com/aaddevsup/2018/04/25/how-to-get-to-the-keyssecrets-from-azure-active-directory/

Note: There are some issues with Postman and utilizing the "Get New Access Token feature" when the client secret has a # and +. So you will need to continue to get a new secret until it doesn't have a + or # symbol in the client secret. This issue is described in the GitHub issue : https://github.com/postmanlabs/postman-app-support/issues/4555

The Client Authentication will work using either option, here I’m using "Send Client Credentials in Body” image

 

 

Now when you click on request token, an interactive pop up will show asking you to login. After you login with your username and password, it will then automatically go through the flow and send the authorization code to the token endpoint. After logging in you will receive the Access token, and it will look like the picture below.

 

image

 

Now that you have the access token you will want to add it to your headers. Postman will do this for you, but you have to remember to scroll down in the “Manage Access Tokens” frame and press “Use Token”.

image  

 

 

Conclusion

We have gone through the steps to get an access token utilizing postman’s feature to request access tokens from the token endpoint by getting the authorization code from the authorization endpoint. If you would like to learn more about how the OAuth 2.0 flow works in terms of AAD Web Applications please take a look at this documentation that reviews how it works : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

 

If you have anymore issues feel free to open a support ticket and one of our engineers will reach out to you to resolve the issue.

Comments

  • Anonymous
    June 22, 2018
    Excellent article - added to the bookmarks
  • Anonymous
    August 09, 2018
    Thank you so much for sharing, very useful. Really struggled a lot to get through that. You should highlight the trouble of having the + or # in the token.
  • Anonymous
    November 07, 2018
    Helpful article, but it seems like the author's thoughts were a bit rushed, and some things were not as clear as the author assumed.
    • Anonymous
      November 09, 2018
      Hey Spencer, Can you please clarify on which parts aren't very clear? And if there are any questions in regards to this please let me know and I will reply back to you as soon as possible.
  • Anonymous
    February 04, 2019
    Great Article.. Thanks. I have followed the steps provided, and I get a access token, but I'm getting an error when I try to do a basic graph query : https://graph.microsoft.com/v1.0/me{ "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure.", "innerError": { "request-id": "925d5ba2-263b-4bb8-b8e9-eac544d05478", "date": "2019-02-04T20:27:55" } }}Any idea why that might be?Thanks so much.
    • Anonymous
      February 19, 2019
      Hello, to resolve this issue, we will need more information, please file a support ticket with Azure Support to help to debug this issue. Please obtain a fiddler trace beforehand. Thanks
    • Anonymous
      February 28, 2019
      Hi, I had the same issue, getting the:{“error”: {“code”: “InvalidAuthenticationToken”,“message”: “Access token validation failure.”,“innerError”: {“request-id”: “925d5ba2-263b-4bb8-b8e9-eac544d05478”,“date”: “2019-02-04T20:27:55”} In my case it just ended up being because I forgot to add the resource in the auth url. "Note that you will need to add the resource you are asking access to as a query parameter in your auth url. For example: https://login.microsoftonline.com/8839a17c-5ebf-496f-858e-0bd6c3038589/oauth2/authorize?resource=https://graph.microsoft.com" After I did that everything worked fine :) Hope that helps!
  • Anonymous
    April 18, 2019
    There is a missing field in getting new access Token, the field is resource. Though it generates the token but this token is not working with Azure Management APIs and giving error below{ "error": { "code": "InvalidAuthenticationTokenAudience", "message": "The access token has been obtained for wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'." }}
    • Anonymous
      April 23, 2019
      Hello, the resource that AAD is referring to is the Audience value, the resource '00000002-0000-0000-c000-000000000000' is for Azure AD. You will need to make sure you get the right audience, and that you have the proper permissions set in the Azure AD Application Registration accordingly.If that doesn't resolve the issue, please file a support ticket and one of Microsoft's Support Engineers will reach out to help you resolve your issue and get you up and going.