azure-active-directoryazure-web-app-serviceazure-mobile-services

LoginAsync using Access Token and MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory


I'm getting a "You do not have permission to view this directory or page." error when I try to LoginAsync with an access token and MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory. This works with the equivalent form with MobileServiceAuthenticationProvider.MicrosoftAccount. I'm not sure why this isn't working. Is there a configuration I'm missing?

var msaProvider = await WebAuthenticationCoreManager.FindAccountProviderAsync(
"https://login.microsoft.com",
"https://login.microsoftonline.com/3dd13bb9-5d0d-dd2e-9d1e-7a966131bf85");
string clientId = "6d15468d-9dbe-4270-8d06-a540dab3252f";
WebTokenRequest request1 = new WebTokenRequest(msaProvider, "User.Read", clientId);
request1.Properties.Add("resource", "https://graph.microsoft.com");
WebTokenRequestResult result =
await WebAuthenticationCoreManager.RequestTokenAsync(request1);
    if (result.ResponseStatus == WebTokenRequestStatus.Success)
    {
        var token = result.ResponseData[0].Token;
        var token1 = new JObject
                {
                    { "access_token", token }
                };
        var user = await App.mobileServiceClient.LoginAsync(
            MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, token1);

Solution

  • I was able to get MSAL.NET to work for this per code below. The key is the { resourceId + "/user_impersonation" } scope.

    PublicClientApplication pca = new PublicClientApplication(clientId)
                        {
                            RedirectUri = redirectUri
                        };
                        string[] scopes = { resourceId + "/user_impersonation" };
                        var users = await pca.GetAccountsAsync();
                        var user = users.FirstOrDefault();
                        AuthenticationResult msalar = await pca.AcquireTokenAsync(
                            scopes, user, UIBehavior.ForceLogin, "domain_hint=test.net");
                             payload = new JObject
                             {
                                 ["access_token"] = msalar.AccessToken
                             };
     mobileServiceClient.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, payload);
    

    Reference: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/660#issuecomment-433831737