Home/ Questions/Q 8921759
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T06:38:21+00:00

I have registered my app engine app with my Office 365 environment and the

  • 0

I have registered my app engine app with my Office 365 environment and the callback URL is working, I receive an SPAppToken.

I want to get an Access Token using this java class:

http://javadoc.google-oauth-java-client.googlecode.com/hg/1.12.0-beta/com/google/api/client/auth/oauth2/AuthorizationCodeTokenRequest.html

My question is which of the values below map to the values I found in the SPAppToken ?
The credentials in ClientAuthentication are the applicationId and applicationSecret I asume. The redirectURI is to get back to my app.
I think the GenericURL should be populated with https://accounts.accesscontrol.windows.net/tokens/OAuth/2

But the I keep getting: Error: invalid_request
ACS90019: Unable to determine the tenant identifier from the request.

Below is the code xx means a variable that I need to replace and further below the SPAppToken (decoded from base64)

try {TokenResponse response = new AuthorizationCodeTokenRequest(new NetHttpTransport(), new JacksonFactory(), new GenericUrl(**"https://server.example.com/token"**), **"SplxlOBeZQQYbYS6WxSbIA"**).setRedirectUri("https://client.example.com/rd") .setClientAuthentication(new BasicAuthentication(**"s6BhdRkqt3"**, **"7Fjfp0ZBr1KtDRbnfVdmIw"**)).execute();
  System.out.println("Access token: " + response.getAccessToken());
} catch (TokenResponseException e) {
  if (e.getDetails() != null) {
    System.err.println("Error: " + e.getDetails().getError());
    if (e.getDetails().getErrorDescription() != null) {
      System.err.println(e.getDetails().getErrorDescription());
    }
    if (e.getDetails().getErrorUri() != null) {
      System.err.println(e.getDetails().getErrorUri());
    }
  } else {
    System.err.println(e.getMessage());
  }
}

SPAppToken decoded: 

{"typ":"JWT","alg":"HS256"}{"aud":"e9e91cd9-0d95-46b7-8a05-f614a683e35d/eog-fire-ice.appspot.com@19d9feae-ba24-4c9e-831c-3132f2ea3974","iss":"00000001-0000-0000-c000-000000000000@19d9feae-ba24-4c9e-831c-3132f2ea3974","nbf":1353777617,"exp":1353820817,"appctxsender":"00000003-0000-0ff1-ce00-000000000000@19d9feae-ba24-4c9e-831c-3132f2ea3974","appctx":"{\"CacheKey\":\"hwqDPFbKDL9mIYpbReWYHeez1uES77UqEsxwienRA9g=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}","refreshtoken":"IAAAAAi52NL58kY1UUpnmUJ9TPO7BpDSd6NqQGHbdfAEnOgioNbG8AwTGgf-3HPSNrdDexk5UUA3QFox_sky4_uon0XmLl6EfpqsC6RTpiatjJxXzB7EFJrqsiYI98MULyCubxjR5UyQwFzLvEjljEom7XcEXB2YCCWJQQdSRvFU4xo4NIPoUObhyjTK58TaCipUU3D4EiLJRSlkbcm_Y3VrVd8GMoQ8kx6BmJjeaGKZsJXWb7UJ8YTg6L4-HOoAiU3MymJl3oBxv_9rvHDmKb4FJ7vrN8AhJYUqlr9rZxOtG_BVeUX05E-umfoUU4PL2Cj-p7u4YOPo6rqVahovwGwYPn-pZbPfIcTj3TzKZdIk7OLemdR_S8_v0gASEM1Y_KTHsoQ6k-uZaa3QGZN4icu-Jp6Jh4UTRZuomLtkLmg7VVZL6VKpXUVW7RjUopoSEffb5RVmMVNOkNV4_r5NT7pjL0pWAk-uipTF0qLAMzEfr5M9YKNgBlbRbvjlePFz6co5_uOyY8VbfJsIqGhTr1dvW6o","isbrowserhostedapp":"true"}R?????XE??j?2??pZ?????0jLk

—– new info 2012-26-11 ——
After changing the “code” field to contain the refresh token and using the aud entire value instead of just the applicationID I get this message:

ACS50001: The required field 'resource' is missing.

The question is: am I getting closer or not ?

I have also asked this question here: https://groups.google.com/d/topic/google-oauth-java-client/EZtlwDbY_wk/discussion

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I modified the com.google.api.client.json.JSONParser.java and put this code in my servlet:

            JsonWebSignature jws = JsonWebSignature.parse(new JacksonFactory(), req.getParameter("SPAppToken"));


    JsonParser jsonParser = new JacksonFactory().createJsonParser(jws.getPayload().get("appctx").toString());

    //Create my own AppTxc that extends GenericJSON
    AppCtx appCtx = jsonParser.parse(AppCtx.class, new CustomizeJsonParser());



    String appctxsender=jws.getPayload().get("appctxsender").toString();
    String[] splitApptxSender = appctxsender.split("@");

    //sharepointhost name is part of the resource field
    String sharepointServerHostName = new URL(req.getParameter("SPHostUrl")).getHost();

    // create the resource field        
    String resource = splitApptxSender[0]+"/"+sharepointServerHostName+"@"+splitApptxSender[1];



    try {

        AuthorizationCodeTokenRequest tokenRequest =    new AuthorizationCodeTokenRequest(new NetHttpTransport(), new JacksonFactory(),
                  new GenericUrl(appCtx.getSecurityTokenServiceUri()), jws.getPayload().get("refreshtoken").toString());

        tokenRequest.setRedirectUri("https://eog-fire-ice.appspot.com/callback4fireandice");
        tokenRequest.setClientAuthentication(
                    new ClientParametersAuthentication(jws.getPayload().getAudience(), SharePointAppSecret));
        tokenRequest.setGrantType("refresh_token");
        tokenRequest.set("resource", resource);
        tokenRequest.set("refresh_token", jws.getPayload().get("refreshtoken").toString());
        TokenResponse response =tokenRequest.execute();



        String accesstoken=response.getAccessToken();

    } catch (TokenResponseException e) {
        if (e.getDetails() != null) {
            pw.println("Error: " + e.getDetails().getError());
            if (e.getDetails().getErrorDescription() != null) {
              pw.println(e.getDetails().getErrorDescription());
            }
            if (e.getDetails().getErrorUri() != null) {
              pw.println(e.getDetails().getErrorUri());
            }
          } else {
            pw.println(e.getMessage());
          }
    }

    I am not sure if all information (like the redirectURL is necessary, but now I have got an accesstoken from Azure ACS.

    Thanks to Nick Swan (lightningtools.com) for the initial help based on Ruby on Rails.

    On of course thanks to Yaniv Inbar (https://plus.google.com/+YanivInbar/) for providing the google oauth java client library.

    I had to raise a bug report though: http://code.google.com/p/google-oauth-java-client/issues/detail?id=62&q=Type%3DDefect&sort=priority&colspec=ID%20Milestone%20Summary

    • 0