Authentication using Azure AD, failing at last step accessing Skype for Business
I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).
Step 1: GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root I hit 200 and as answer I receive this:
Step 2: I use the user link. So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct). In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)
Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot). This is how I compose the call:
If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.
Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.
Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.
EDIT:
The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.
So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.
You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.
As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.
https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc
- Where to store the refresh token on the Client?
- How to guard nestjs swagger endpoint
- How to Validate Current Password Against User Input Using Laravel Validator?
- getPocket API - iOS
- Is it a good idea to add UTC timestamp for API authentication
- Which HTTP response code should I give my application to say that authentication was successful?
- Error:Request failed: bad request (400) login via afnetworking in swift
- What is an API token
- Can you get your Twitter email using the API?
- Keep getting CallbackRouteError fired when trying to use signIn function in (next-)authjs v5
- I tried to change postgresql md5 to scram-sha-256 and I get FATAL password authentication failed
- Google Authenticator on Apple devices, certain secrets are not valid
- Tiktok client key
- REST API Authentication
- robin_stocks Robinhood Authentication Stopped Working
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- Jboss 7 custom authenticator
- How do the ASP.NET Core 5 OpenIdConnect authentication cookies work in theory?
- JWT refresh token flow
- Laravel attempt() method is undefined (JWT)
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- Call to undefined method Laravel\Passport\Passport::routes()
- Flutterflow: Determining a User's Supabase Authentication Method
- Python request with authentication (access_token)
- How to properly access ProtectedLocalStorage after login using NavigationManager.NavigateTo()
- Python OPC-UA : authentification
- EventGrid Trigger on Authenticated Azure Function App
- MSAL for non-SPA? Server side authentication?
- Identity Server 4 - Unable to authenticate user
- Transferring Authentication State from Prerendering mode to Interactive Rendering mode in Blazor WebApp