Login to Azure Management API from .NET Console app
I am creating a console application that logs in into my Line of Business application and also call some Azure Management APIs. My Client Application has permissions to do both and it can do it from my Blazor WASM web app from the client side here are the permission in Azure:
I have this Authentication code for the console application (which works for login to my web application)
public static async Task<AuthenticationResult> GetTokenAsync(string userName)
{
//ref https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/blob/master/sample/ManualTestApp/Program.cs
IPublicClientApplication app = PublicClientApplicationBuilder
.Create(AuthCacheConfig.ClientId)
.WithAuthority(AuthCacheConfig.Authority)
.WithRedirectUri(AuthCacheConfig.RedirectURI)
.Build();
MsalCacheHelper cacheHelper = await CreateCacheHelperAsync().ConfigureAwait(false);
cacheHelper.RegisterCache(app.UserTokenCache);
IEnumerable<IAccount> accounts = await app.GetAccountsAsync();
AuthenticationResult result;
if (accounts.Any())
{
IAccount selectedAccount = GetSelectedAccount(accounts.ToList(), userName);
try
{
result = await app.AcquireTokenSilent(AuthCacheConfig.Scopes, selectedAccount)
.ExecuteAsync();
}
catch (MsalUiRequiredException)
{
result = await app.AcquireTokenInteractive(AuthCacheConfig.Scopes)
.ExecuteAsync();
}
}
else
{
result = await app.AcquireTokenInteractive(AuthCacheConfig.Scopes)
.ExecuteAsync();
}
return result;
}
Where AuthCacheConfig.ClientId = MYAPPCLIENTID AuthCacheConfig.Authority = "https://login.microsoftonline.com/common" and AuthCacheConfig.Scopes is my app scope when trying to get a token for the App and https://management.azure.com/user_impersonation when trying to get a token for ARM.
I looked at the token that the web application can successfully generate in JWT.ms and have this result:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "",
"kid": ""
}.{
"aud": "https://management.azure.com",
"iss": "https://sts.windows.net/TENANTID/",
"iat": 1605579273,
"nbf": 1605579273,
"exp": 1605583173,
"acr": "1",
"aio": "REMOVED FOR PRIVACY",
"amr": [
"rsa",
"mfa"
],
"appid": "MYCLIENTAPPID",
"appidacr": "0",
"family_name": "MYLASTNAME",
"given_name": "MYFIRSTNAME",
"groups": [
"AADGROUP0",
"AADGROUP1"
],
"ipaddr": "MYIPADDRES",
"name": "MYNAME",
"oid": "MYOID",
"puid": "REMOVED FOR PRIVACY",
"rh": "REMOVED FOR PRIVACY",
"scp": "user_impersonation",
"sub": "REMOVED FOR PRIVACY",
"tid": "MYTENANTID",
"unique_name": "MYUPN",
"upn": "MYUPN",
"uti": "REMOVED FOR PRIVACY",
"ver": "1.0",
"wids": [
"wid0",
"wid1",
"wid2"
],
and here is the token for when I call from the console app:
{
"typ": "JWT",
"alg": "RS256",
"kid": "REMOVED FOR PRIVACY"
}.{
"aud": "MYAPPID",
"iss": "https://login.microsoftonline.com/TENANTID/v2.0",
"iat": 1605579071,
"nbf": 1605579071,
"exp": 1605582971,
"aio": "REMOVED FOR PRIVACY",
"name": "MYNAME",
"oid": "MYOID",
"preferred_username": "mMYUPN",
"rh": "REMOVED FOR PRIVACY",
"roles": [
"Administrator"
],
"sub": "REMOVED FOR PRIVACY",
"tid": "MYTENANTID",
"uti": "REMOVED FOR PRIVACY",
"ver": "2.0"
}
I cant find a way to specify the audience in the MSAL Library, is there a way to do this? Since from what I can see in the token, Microsoft STS is not seeing that the request is for the Azure Service Management Scope?
the error was caused because the the V1 endpoint expect a slash in the audience claim and the other to separate the API Name from the scope.
TL;DR change scopes from var scopes = new[] {"https://management.core.windows.net/user_impersonation"}; to this var scopes = new[] {"https://management.core.windows.net//user_impersonation"}; and it will work.
to save someone else the two hours of googling here is the doc on calling endpoints that still don't support v2 tokens: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes
- How to write ODBC connection string for Snowflake
- How do I properly publish a Packaged Blank WinUI 3 application?
- How to convert a byte array to SKBitmap in SkiaSharp?
- Automatic native and managed DLLs extracting from NuGet Package
- How to connect to kafka port and do integration testing by reading topic and message
- Exception Info: System.PlatformNotSupportedException: EventLog access is not supported on this platform
- Creating a class library in visual studio code
- Update an existing database with migrations
- How to check if a number is a power of 2
- How to get nested appSettings value(s) strongly typed?
- Invariant culture issue while running the dotnet 6 application in a Docker Container
- How to update all of my dotnet global tool by one command
- Proper way to register HostedService in ASP.NET Core. AddHostedService vs AddSingleton
- Debugging xUnit tests in .NET Core and Visual Studio Code
- Class-based orchestrators - not found exception (.NET Core, Azure function)
- Nuget restore fails on Azure Devops with message "unable to load the service index for source"
- Worker Service's ExecuteAsync doesn't stop gracefully
- 1053 Windows Service Error using .NET Core 3.1 Worker Service
- FluentAssertions Asserting multiple properties of a single object
- How to pass an object from one page component to another page component in a .NET Blazor app?
- Write stream directly to HttpClient
- .NET Core AutoMapper missing type map configuration or unsupported mapping
- How to include third party libraries in dotnet publish as single file?
- Uploading file IFormFile to Azure C# function
- debug a dotnet core program in terminal
- Npgsql Connection Timeout with Postgres Running in Docker Container
- `git commit` in Github Actions workflow failing: Write access to repository not granted, 403
- Openiddict with dotnet core 5 giving the errors as "this server only accepts HTTPS requests."
- Getting null error when reading configuration from appsettings.json in asp.net core
- ASP.NET Core 6 Web API base project with multiple API projects