I'm trying to connect to the Entra Verifiable Credentials Admin API based on the documentation found here: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/admin-api, however I can't seem to issue client credentials that are able to call the Admin API endpoints.
I'm creating an access token like so:
GET https://login.microsoftonline.com/<tenant_id>/oauth2/token?<query_params>
Query Params:
client_id=<client_id>
client_secret=<client_secret>
scope=6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access
grant_type=client_credentials
The scope in the above call was found here: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/admin-api Calling the endpoint https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities with the token returned from above returns the response:
"error": {
"code": "token_validation.audience_invalid",
"message": "The token does not contain the expected audience '0135fd85-3010-4e73-a038-12560d2b58a9,6a8b4b39-c021-437c-b060-5a14a3fd65f3'."
}
I also tried creating an access token using the MSAL library in .NET like this:
var app = ConfidentialClientApplicationBuilder.Create("<client_id>")
.WithClientSecret("<client_secret>")
.WithAuthority(new Uri("https://login.microsoftonline.com/<tenant_id>"))
.Build();
var result = await app.AcquireTokenForClient(new string[] { "6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default"}).ExecuteAsync();
Console.WriteLine("Access Token: {0}", result.AccessToken);
The MSAL library throws an error if the scope doesn't end with /.default, so I switched what the Verifiable Credentials Admin API suggests to 6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default. Using the credentials output by the MSAL library to call the Admin API returns this error:
"error": {
"code": "Unauthorized",
"message": "Provided access token contains no wids.",
"innererror": {
"code": "token_validation.invalid_aad_access_token",
"message": "Provided access token contains no wids."
}
}
The Application Registration has the Verifiable Credentials Service Admin.full_access permission assigned and has been granted admin consent. I'm not sure what I'm doing wrong or what I need to change to get an access token that's able to call the Verifiable Credentials Admin API.
I tried to reproduce the same in my environment and got below results:
I have one Azure AD application and added API permissions as below:
Now I generated access token with same parameters as you like below:
Response:
When I used the above token to call authorities, I'm getting same error as below:
Response:
Now, I used v2.0 token endpoint with
/.defaultscope to generate the token like below:Response:
When I used this token to call authorities, I got same error as below:
Note that, Client credentials flow works with only
Applicationtype permissions.If your granted permission is of
Delegatedtype, you need to use interactive flow like Authorization code, etc.... to get token.To resolve the error, I generated token using
authorization codeflow with below parameters:Response:
When I used this token to call authorities, I got response with
Status: 200 OKas below:As I don't have any authorities, I got value as blank. You can try the same in your environment by generating token using Authorization code flow.