All geek questions in one place

AADSTS50020: we cannot issue tokens from this version of api for Microsoft account

I am writing a simple C # mobile application that I registered at https://apps.dev.microsoft.com/ for accessing live.com/outlook.com mailboxes (not 365 MB forecast). I use ADAL to authenticate using a client identifier and redirect the URI from registration. I am not sure if I should generate a password from the registration site and how I should use the generated password. What I'm experiencing is that I get the usual invitation for authentication, I provide my credentials, I see a return token (RequestSecurityTokenResponse) with my data (name, surname, etc.), which means that the authentication process was successful, and yet the authentication process fails with the error " AADSTS50020: we cannot issue tokens from this version of the api for the Microsoft account. Contact the application vendor as they must use version 2.0 of the protocol to support this.

I am not sure how to interpret the error: the error is that I am not using the v2.0 protocol or not saying that I am not calling v2.0 of their authentication endpoint.

The difficulty I encountered is that Microsoft has changed the protocols and interfaces so many times and mixed up live.com/outlook.com and azure / office365, that in the end I donโ€™t know what I should provide as a URL permissions and uri resource for accessing live.com/outlook.com mailboxes.

What I noticed is that in addition to the authentication interface, I do not get a user interface where I have to allow the application to act on my behalf.

Authentication failed

The following is an outgoing request with a smtp message running.

https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIARWPsU7CQABAubaQghqRaIIbAy6aa3uFttwlDmog0gEGXSQu19JCY8thbcU4ObjLBzg5OpjoYAyf4MRiYtg00RhmTRzF5SVvey8zV5JQScISQqqeA2idRxIiRYoMS8cUQ8VANixj14HUxSp0DAuXKmXVsh0tzGWyaDi_ix-FndGH_zZprV09ATAG4AuACw5MuMXmVhx11X-w0Dt3plzSZx2vd8sXu1HUPyGyzOLIZ-xIYq7r2Y5ks0AOqOdLoUPbD3xq5gHrjfiihjVLN7QStPU2hmWDupAirQJtza5gRbeo5rZfeTAWwFRYEfnsQj5d-BQVnohiKsvlE4XErwBukrPk7aX3-7vD5eblwc_1y_d-4jkp980qik_7x11crwaBKesmrQ-qhhm2VKaE- 2Fto7XXsNBZo9bZRAQNU2CUXo3DHvGcyCWDDmF0tkhUSSGMWX81 & wfresh = 0 & id = & pcexp = false & username = xyz% 40hotmail.com & popupui = 1 & contextid = 70F2DEC5506FD6396bb839bc1990bc1990bcb903b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9bb9bf

Here is the code I used:

string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; PlatformParameters authParms = new PlatformParameters(PromptBehavior.Always, null); AuthenticationContext authContext = new AuthenticationContext(authority, TokenCache.DefaultShared); AuthenticationResult result = await authContext.AcquireTokenAsync( "https://outlook.office.com/mail.read", clientId, new Uri(redirectUri), authParms);
+5
source share
1 answer

There are three things:

  • Applications created using the https://apps.dev.microsoft.com website specify the AAD v2.0 endpoint, not the v1.0 endpoint (these are different versions of the protocol).

  • V2.0 endpoint is not supported by ADAL. It is supported by MSAL. However, the development of MSAL continues, so I donโ€™t think you can still use it (you should be able to, in a few weeks, and even then I donโ€™t think it will be GA)

  • Authentication using MSA accounts is directly supported from the V2.0 endpoint, and therefore with MSAL, not ADAL. ADAL only supports ADFS and AAD

I understand that you want to authenticate using MSA (live) accounts, and therefore you need to use MSA. I would advise you to wait a bit if you can

Note: This is a little subtle, but you can also have AAD accounts that are MSA accounts in Azure Active Directory (you create a user with existing email addresses that can be MSA). This is supported by the V1.0 endpoint - and therefore ADAL, but you need to create users with these email addresses at the AAD tenant, which is probably not what you want. And there are also threads in which the MSA will not work (for example, when a user authenticates to use a web service that itself uses a web service: a stream on behalf of the user), so I would not recommend this option.

+2
source

Source: https://habr.com/ru/post/1266548/

More articles:


All Articles