Forum Discussion
Unable to get authentication token for submitting Universal Print print job
Hi Dave1865,
Have you registered your own Entra enterprise application in your tenant? You'll need to use the client ID/redirect URI from that registration. Is there a reason you don't want to use the first party macOS app?
Jake
Hi Jake,
I haven't registered my app in the tenant, seems unnecessary since how would a user of my app know what to register in their tenant? The executable ipptool (microsoft-cups fork) doesn't need to be registered in my tenant to work.
>Is there a reason you don't want to use the https://aka.ms/universalprint/macos/app?
The first party app is a Preferences addition and doesn't provide API support that I'm aware of. I need to talk to the UP server to get the actual IP of the device, but the UP server keeps replying "Unauthorized". I try to follow the example in GetAADToken (part of Microsoft's fork of CUPS) to get the authentication token but it doesn't work.
For printing (mentioned in the initial message), I've abandoned this approach and I'm using the macOS print queue setup by the first party macOS app. I still need the real IP of the device, if not in a zero-trust environment, so I scan from the device.
Thanks,
Dave
Got it. You can use the client ID in the tool for testing, but you'll need to register your own app if you're building a third-party solution. Regardless, what you're trying to do should still work. Can you try changing the redirect URI to http://localhost ?
You can also try this Python script:
from msal import PublicClientApplication app = PublicClientApplication('2e8ebe07-1160-4287-b789-a31e5072383a') token = app.acquire_token_interactive(['https://print.print.microsoft.com/.default']) print(token)MSAL Python docs. Access token will be in `token.access_token`.
If it still doesn't work, maybe there's some firewall/network configuration issue. MSAL needs to be able to open a port to get the response from Entra ID. I've also seen some browsers have localhost on their HSTS list. You might need to disable that.
Btw, I don't think you're going to be able to get the IP of the printer from UP.
Jake
Hi Jake,
Thanks for the suggestions, it's helped some. 🙂
I tried using http://localhost and Safari chokes on it with `Safari can't connect to the server "localhost"`
I did run the Python script and it works without an issue. The Mac MSAL SDK doesn't contain the simple approach the Python SDK does though. When I attempt to replicate the Python script, the Mac app puts this error up when requesting the token:
AADSTS50011: The redirect URI 'msauth.com.xerox.testUP://auth' specified in the request does not match the redirect URIs configured for the application '2e8ebe07-1160-4287-b789-a31e5072383a'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
This is what I used:
let app = try MSALPublicClientApplication(clientId: "2e8ebe07-1160-4287-b789-a31e5072383a") let res = try await app.acquireToken(with: MSALInteractiveTokenParameters(scopes: ["PrintJob.ReadWrite"]))If I try to specify the redirect URI, that's where the empty "nativeclient" file gets downloaded.
It appears the macOS SDK doesn't work in this case, whereas the Windows and Python SDKs do work.
Any other suggestions?
Thanks,
Dave
