Hi!
I downloaded and installed the latest 1.2.0 version of the Vanilla Forum plugin and installed it on my Vanilla Forum and activated it. I put the mobiquo folder in the Vanilla forum's root directory. Unfortunately, it doesn't activate because of a 302 Error.
This is a little strange as I tried several things now, but did not find the root cause.
30
30
30
30
30
30
30
Somehow, there is an automatic rule changing the URL. I believe this is what was put in place with the Vanilla .htaccess that is in the root folder of the forum (http://www.domain.de/vanilla)
But when I create a new folder in the Vanilla forum, the substitution rule does not seem to apply:
30
30
If I put the mobiquo.php file into the vanilla/test folder I get the same strange response:
30
30
30
30
30
30
30
And for the sake of being complete: This is the original .htaccess file that came along with the Vanilla forum:
30
30
30
30
30
30
30
30
30
30
30
Anyone here who has a clue?
Really appreciate it!
Best wishes,
Patric-->
I downloaded and installed the latest 1.2.0 version of the Vanilla Forum plugin and installed it on my Vanilla Forum and activated it. I put the mobiquo folder in the Vanilla forum's root directory. Unfortunately, it doesn't activate because of a 302 Error.
This is a little strange as I tried several things now, but did not find the root cause.
If you are moving an activation from one computer to another, you’ll need to perform Online Deactivation or Offline Deactivation first. Start by opening the Imatest License Manager by clicking Help- License Manager (Activate) from Imatest Master (or other GUI-based version). Click Activate Offline 2. The authorizationcode that the app requested. The app can use the authorization code to request an access token for the target resource. Authorizationcodes are short lived, typically they expire after about 10 minutes. State: If a state parameter is included in the request, the same value should appear in the response.
When I query the mobiquo.php I get the following response:30
30
30
30
30
30
30
Somehow, there is an automatic rule changing the URL. I believe this is what was put in place with the Vanilla .htaccess that is in the root folder of the forum (http://www.domain.de/vanilla)
But when I create a new folder in the Vanilla forum, the substitution rule does not seem to apply:
30
30
If I put the mobiquo.php file into the vanilla/test folder I get the same strange response:
30
30
30
30
30
30
30
And for the sake of being complete: This is the original .htaccess file that came along with the Vanilla forum:
30
30
30
30
30
30
30
30
30
30
30
30
Anyone here who has a clue?
Really appreciate it!
Best wishes,
Patric-->
Applies to:
|
The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Using the Microsoft identity platform implementation of OAuth 2.0, you can add sign in and API access to your mobile and desktop apps. This guide is language-independent, and describes how to send and receive HTTP messages without using any of the Azure open-source authentication libraries.
This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to acquire tokens and call secured web APIs. Also take a look at the sample apps that use MSAL.
Note
Not all Azure Active Directory scenarios & features are supported by the Microsoft identity platform endpoint. To determine if you should use the Microsoft identity platform endpoint, read about Microsoft identity platform limitations.
The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. It's used to perform authentication and authorization in the majority of app types, including web apps and natively installed apps. The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint.
Protocol diagram
At a high level, the entire authentication flow for a native/mobile application looks a bit like this:
Request an authorization code
The authorization code flow begins with the client directing the user to the
/authorize
endpoint. In this request, the client requests the openid
, offline_access
, and https://graph.microsoft.com/mail.read
permissions from from the user. Some permissions are admin-restricted, for example writing data to an organization's directory by using Directory.ReadWrite.All
. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. To request access to admin-restricted scopes, you should request them directly from a company administrator. For more information, read Admin-restricted permissions.Tip
Click the link below to execute this request! After signing in, your browser should be redirected to
https://localhost/myapp/
with a code
in the address bar.https://login.microsoftonline.com/common/oauth2/v2.0/authorize...Parameter | Required/optional | Description |
---|---|---|
tenant | required | The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are common , organizations , consumers , and tenant identifiers. For more detail, see protocol basics. |
client_id | required | The Application (client) ID that the Azure portal – App registrations experience assigned to your app. |
response_type | required | Must include code for the authorization code flow. |
redirect_uri | required | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value of https://login.microsoftonline.com/common/oauth2/nativeclient . |
scope | required | A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this can cover multiple resources, allowing your app to get consent for multiple web APIs you want to call. |
response_mode | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following: - query - fragment - form_post query provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you can't use query as specified in the OpenID spec. If you're requesting just the code, you can use query , fragment , or form_post . form_post executes a POST containing the code to your redirect URI. For more info, see OpenID Connect protocol. |
state | recommended | A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |
prompt | optional | Indicates the type of user interaction that is required. The only valid values at this time are login , none , and consent .- prompt=login will force the user to enter their credentials on that request, negating single-sign on.- prompt=none is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an interaction_required error.- prompt=consent will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |
login_hint | optional | Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know their username ahead of time. Often apps will use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim. |
domain_hint | optional | Can be one of consumers or organizations .If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. Often apps will use this parameter during re-authentication, by extracting the tid from a previous sign-in. If the tid claim value is 9188040d-6c67-4c5b-b112-36a304b66dad , you should use domain_hint=consumers . Otherwise, use domain_hint=organizations . |
code_challenge_method | optional | The method used to encode the code_verifier for the code_challenge parameter. Can be one of the following values:- plain - S256 If excluded, code_challenge is assumed to be plaintext if code_challenge is included. Microsoft identity platform supports both plain and S256 . For more information, see the PKCE RFC. |
code_challenge | optional | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if code_challenge_method is included. For more information, see the PKCE RFC. |
At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform endpoint will also ensure that the user has consented to the permissions indicated in the
scope
query parameter. If the user has not consented to any of those permissions, it will ask the user to consent to the required permissions. Details of permissions, consent, and multi-tenant apps are provided here.Once the user authenticates and grants consent, the Microsoft identity platform endpoint will return a response to your app at the indicated
redirect_uri
, using the method specified in the response_mode
parameter.Successful response
A successful response using
response_mode=query
looks like:Parameter | Description |
---|---|
code | The authorization_code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization_codes are short lived, typically they expire after about 10 minutes. |
state | If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. |
Error response
Error responses may also be sent to the
redirect_uri
so the app can handle them appropriately:Parameter | Description |
---|---|
error | An error code string that can be used to classify types of errors that occur, and can be used to react to errors. |
error_description | A specific error message that can help a developer identify the root cause of an authentication error. |
Error codes for authorization endpoint errors
The following table describes the various error codes that can be returned in the
error
parameter of the error response.Error Code | Description | Client Action |
---|---|---|
invalid_request | Protocol error, such as a missing required parameter. | Fix and resubmit the request. This is a development error typically caught during initial testing. |
unauthorized_client | The client application isn't permitted to request an authorization code. | This error usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
access_denied | Resource owner denied consent | The client application can notify the user that it can't proceed unless the user consents. |
unsupported_response_type | The authorization server does not support the response type in the request. | Fix and resubmit the request. This is a development error typically caught during initial testing. |
server_error | The server encountered an unexpected error. | Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed to a temporary error. |
temporarily_unavailable | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition. |
invalid_resource | The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. | This error indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
login_required | Too many or no users found | The client requested silent authentication (prompt=none ), but a single user could not found. This may mean there are multiple users active in the session, or no users. This takes into account the tenant chosen (for example, if there are two Azure AD accounts active and one Microsoft account, and consumers is chosen, silent authentication will work). |
interaction_required | The request requires user interaction. | An additional authentication step or consent is required. Retry the request without prompt=none . |
Request an access token
Now that you've acquired an authorization_code and have been granted permission by the user, you can redeem the
code
for an access_token
to the desired resource. Do this by sending a POST
request to the /token
endpoint:Tip
Try executing this request in Postman! (Don't forget to replace the
code
)Parameter | Required/optional | Description |
---|---|---|
tenant | required | The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are common , organizations , consumers , and tenant identifiers. For more detail, see protocol basics. |
client_id | required | The Application (client) ID that the Azure portal – App registrations page assigned to your app. |
grant_type | required | Must be authorization_code for the authorization code flow. |
scope | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the first leg. The scopes must all be from a single resource, along with OIDC scopes (profile , openid , email ). For a more detailed explanation of scopes, refer to permissions, consent, and scopes. |
code | required | The authorization_code that you acquired in the first leg of the flow. |
redirect_uri | required | The same redirect_uri value that was used to acquire the authorization_code. |
client_secret | required for web apps | The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. The client secret must be URL-encoded before being sent. |
code_verifier | optional | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the PKCE RFC. |
Successful response
A successful token response will look like:
Parameter | Description |
---|---|
access_token | The requested access token. The app can use this token to authenticate to the secured resource, such as a web API. |
token_type | Indicates the token type value. The only type that Azure AD supports is Bearer |
expires_in | How long the access token is valid (in seconds). |
scope | The scopes that the access_token is valid for. |
refresh_token | An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires. Refresh_tokens are long-lived, and can be used to retain access to resources for extended periods of time. For more detail on refreshing an access token, refer to the section below. Note: Only provided if offline_access scope was requested. |
id_token | A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the id_token reference . Note: Only provided if openid scope was requested. |
Error response
Error responses will look like:
Parameter | Description |
---|---|
error | An error code string that can be used to classify types of errors that occur, and can be used to react to errors. |
error_description | A specific error message that can help a developer identify the root cause of an authentication error. |
error_codes | A list of STS-specific error codes that can help in diagnostics. |
timestamp | The time at which the error occurred. |
trace_id | A unique identifier for the request that can help in diagnostics. |
correlation_id | A unique identifier for the request that can help in diagnostics across components. |
Error codes for token endpoint errors
Error Code | Description | Client Action |
---|---|---|
invalid_request | Protocol error, such as a missing required parameter. | Fix and resubmit the request |
invalid_grant | The authorization code or PKCE code verifier is invalid or has expired. | Try a new request to the /authorize endpoint and verify that the code_verifier parameter was correct. |
unauthorized_client | The authenticated client isn't authorized to use this authorization grant type. | This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
invalid_client | Client authentication failed. | The client credentials aren't valid. To fix, the application administrator updates the credentials. |
unsupported_grant_type | The authorization server does not support the authorization grant type. | Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. |
invalid_resource | The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. | This indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
interaction_required | The request requires user interaction. For example, an additional authentication step is required. | Retry the request with the same resource. |
temporarily_unavailable | The server is temporarily too busy to handle the request. | Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition. |
Use the access token
Now that you've successfully acquired an
access_token
, you can use the token in requests to Web APIs by including it in the Authorization
header:Tip
Execute this request in Postman! (Replace the
Authorization
header first)Refresh the access token
Access_tokens are short lived, and you must refresh them after they expire to continue accessing resources. You can do so by submitting another
POST
request to the /token
endpoint, this time providing the refresh_token
instead of the code
. Refresh tokens are valid for all permissions that your client has already received consent for - thus, a refresh token issued on a request for scope=mail.read
can be used to request a new access token for scope=api://contoso.com/api/UseResource
.Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle errors returned by the token issuance endpoint correctly.
Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token. The OAuth 2.0 spec says: 'The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.'
Tip
Try executing this request in Postman! (Don't forget to replace the
refresh_token
)Parameter | Description | |
---|---|---|
tenant | required | The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are common , organizations , consumers , and tenant identifiers. For more detail, see protocol basics. |
client_id | required | The Application (client) ID that the Azure portal – App registrations experience assigned to your app. |
grant_type | required | Must be refresh_token for this leg of the authorization code flow. |
scope | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to permissions, consent, and scopes. |
refresh_token | required | The refresh_token that you acquired in the second leg of the flow. |
client_secret | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. |
Successful response
A successful token response will look like:
Parameter | Description |
---|---|
access_token | The requested access token. The app can use this token to authenticate to the secured resource, such as a web API. |
token_type | Indicates the token type value. The only type that Azure AD supports is Bearer |
expires_in | How long the access token is valid (in seconds). |
scope | The scopes that the access_token is valid for. |
refresh_token | A new OAuth 2.0 refresh token. You should replace the old refresh token with this newly acquired refresh token to ensure your refresh tokens remain valid for as long as possible. Note: Only provided if offline_access scope was requested. |
id_token | An unsigned JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the id_token reference . Note: Only provided if openid scope was requested. |
Error response
Parameter | Description |
---|---|
error | An error code string that can be used to classify types of errors that occur, and can be used to react to errors. |
error_description | A specific error message that can help a developer identify the root cause of an authentication error. |
error_codes | A list of STS-specific error codes that can help in diagnostics. |
timestamp | The time at which the error occurred. |
trace_id | A unique identifier for the request that can help in diagnostics. |
correlation_id | A unique identifier for the request that can help in diagnostics across components. |
For a description of the error codes and the recommended client action, see Error codes for token endpoint errors.