Scope is not being added to Access Token returned from Azure Ad
Overview
We have an Azure AD secured API living in Azure as a web app. We need to be able to:
- Trigger this API via user interaction from a client application (this part works).
- Trigger this API programmatically from a scheduled job that will simply get a token & hit this API (this part does not work due to authentication issues).
Problem
The issue is that when we request a token from Azure AD, scope is not being set in our token claims resulting in the API rejecting the token.
This is the request we are making:
This request returns an access token with the following claims:
{
"aud": "<our api client id>",
"iss": "https://login.microsoftonline.com/<tenantId>/v2.0",
"iat": 1644421512,
"nbf": 1644421512,
"exp": 1644425412,
"aio": "<value>",
"azp": "<scheduled job client id>",
"azpacr": "1",
"oid": "<guid>",
"rh": "<value>",
"sub": "<guid>",
"tid": "<guid>",
"uti": "<value>",
"ver": "2.0"
}
As you can see scp (scope) is not included in the token claims even though we include it in the request.
If we use this token to make a request to our API we get the following error:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
Any help on how we can get an access token from Azure AD with the proper scope/permissions to call our API, would be greatly appreciated.
Note
The Azure AD App Registration for our scheduled job that will request a token and then hit our API, does have the Delegated API Permission access_as_user which you can see I am including in the token request's scope.
The above is expected as using client credentials you can't get the delegated permissions i.e. the access_as_user permission and also the scope in client credentials should be used as api://<APP_ID>/.default . So , If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.
For testing , I created two app registrations , One on which API is exposed (Postman) and other which is to be used for authentication (Powershelltest) and then , I have tested the same in 2 different scenarios like one for client credentials and another for implicit grant :
Main APP whose API has been exposed :
App used for authentication:
Scenario 1 Using Client Credential flow :
Scenario 2 using Implicit Grant flow :
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database