How to correctly configure AAD App Registration and WebAPI to allow [Authorize]

I have 2 AAD app registrations, one for a desktop client, the other for a web API. I have configured the Authentications as per the Microsoft QuickStart to use microsoft.identity.client and microsoft.identity.client.broker to authenticate and get a token. This seems to work correctly. The web api uses the following for authentication:

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

I have also configured the Enterprise applications is AAD.

Without the [Authorize] in the web api controller, I can use the desktop app to get data from the web api with a call such as:

GetHttpContentWithToken(APIEndpoint, authResult.AccessToken)

However, as soon as add the [Authorize] to the controller, I cant get any data back. In fact, when I run the debugger, it doesn't seem like the call ever makes it to the controller.

If I look at the ILogger output (when [Authorize] is not present) it seems the token is valid.

I'm not sure where to go from here. Maybe I don't have the correct authentication provider in the Program.cs of the web api. Or maybe I don't have the correct packages. I think I have the correct scopes configured. Any suggestions?

Check the below steps to Configure AAD App Registration and WebAPI to allow [Authorize].

I have taken references the MSDoc.

• After registering the App in AAD, we need to do the below setting in Expose an API for both registered Applications.

• Add Scope for Admins only or Admins and Users.

Make sure you have added the Client Application.

• I have created an ASP.NET Core WebAPI 6.0.
• In the Connected Services, add the Microsoft identity platform service dependency.

• Select the App which you have added the Client Application.

• With this, Redirect URI will be added in the selected App Registration.

Thanks @Tiny Wang for the comment.

Yes, as mentioned by Tiny Wang, we need to add the Scopes as well.

My appsettings.json:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "******.onmicrosoft.com",
    "TenantId": "**********",
    "ClientId": "**********",
    "CallbackPath": "/signin-oidc",
    "Scopes": "AllMemberAPI.All",
    "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
    "ClientCertificates": []
  }
}

My .csproj file:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.5" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.5" />
    <PackageReference Include="Microsoft.Identity.Web" Version="1.24.1" />
    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.16.0" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.2.3" />
  </ItemGroup>
</Project>

• First, we need to Authenticate the user. Check whether the user is authenticated or not.

• To know more about the Authentication middleware, we can download the sample code from the App Registration => Quickstart.