retrieved token does not grant access to related resource (401 Error)

[jwe4sub]

Hi,
we stumbled over what we think can be categorized as a bug in the library. We are able to successfully obtain a token for a given resource and client id. However, the token does not grant us access to the resource. Whenever we call the resource with the access_token, we get a HTTP 401 response.

When we use the .Net library, with the exact same parameters, the token works.

The difference we have found is that the python library explicitly sends the parameter api-version=1.0 to the oauth2 endpoint.

POST https://login.microsoftonline.com/common/oauth2/token?api-version=1.0

Once we changed the following line in oauth2_client.py in the adal library, I could access my resource.

return urlparse('{}?{}'.format(self._token_endpoint, urlencode(parameters)))

in the method _create_token_url, to

return urlparse(self._token_endpoint).

See also this question on StackOverflow, the latest answer is from us.
http://stackoverflow.com/questions/37909332/401-unauthorized-making-rest-call-to-azure-api-app-using-bearer-token/

[yugangw-msft]

@jwe4sub, i will get the api-version clarified and get back to you.

[jwe4sub]

@yugangw-msft thank you, it would be great getting this sorted to avoid maintaining our own fork just for this small workaround.

I can also confirm that we see thing as here AzureAD/azure-activedirectory-library-for-nodejs#128, the token gets prefixed with SPN: when using api-version.

[yugangw-msft]

we will sort out the fix pretty soon, stay tuned.

[yugangw-msft]

@jwe4sub, FYI, with new adal, when you create AuthenticationContext, make sure pass in api_version=None

[jwe4sub]

thank you for the update!