API Management OAuth 2.0 configuration issue
I am following this article to configure the API Management with OAuth 2.0 , However I am getting below error during the authentication in APIM Developer Portal - API Trigger.
{"code":"Unauthorized","message":{"error":"invalid_client","error_description":"AADSTS650052: The app is trying to access a service 'XXXXXXXX-1f80-4ded-a96a-XXXXXX'(oauth-backend-api) that your organization '65e4e06f-f263-4c1f-becb-90deb8c2d9ff' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. Trace ID: 8e6c4fac-b3fd-460c-976b-91ccca094c00 Correlation ID: a65c5507-da87-47ce-841a-de29985af0dc Timestamp: 2024-08-10 23:11:17Z","error_uri":"https://login.microsoftonline.com/error?code=650052","state":"e689f2d6-be48-1230-b0b7-2d790cb5589f"
Policy configuration as below
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/XXXXXXX/v2.0/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>XXXXXXXX-1f80-4ded-a96a-XXXXXX</value>
</claim>
</required-claims>
</validate-jwt>
Resolve - By changing the multi tenant to single tenant in the SPN
New error : AADSTS700016: Application with identifier 'XXXX-2ab2-XX-XX-XXX' was not found in the directory 'XXXXXXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Below are the current API Permissions
Backend App - Expose an API configuration.
{"code":"Unauthorized","message":{"error":"invalid_client","error_description":"AADSTS650052: The app is trying to access a service 'XXXXXXXX-1f80-4ded-a96a-XXXXXX'(oauth-backend-api) that your organization '65e4e06f-f263-4c1f-becb-90deb8c2d9ff' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. Trace ID:8e6c4fac-b3fd-460c-976b-91ccca094c00 Correlation ID:a65c5507-da87-47ce-841a-de29985af0dc Timestamp: 2024-08-10 23:11:17Z","error_uri":"https://login.microsoftonline.com/error?code=650052","state":"e689f2d6-be48-1230-b0b7-2d790cb5589f"
In order to get rid of this error, you need to add the client id of oauth-client-app in oauth-backend-app as shown below and keep both the apps in multi tenant only.
I am using given policy in apim.
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/932********f6d/v2.0/.well-known/openid-configuration" />
<issuers>
<issuer>https://sts.windows.net/932********f6d/</issuer>
</issuers>
<required-claims>
<claim name="aud">
<value>3a31*********c0b</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
</policies>
Then published the developer portal and got below screen to get the bearer token and clicked Accept.
Then got 200 OK response.
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- OAuth Client Credential Flow - Refresh Tokens
- UPS Outh Rating API return Invalid Authentication Information
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
- REST API Server error using OAuth2 and Microsoft.AspNetCore.Identity
- hwi_oauth can't connect to FOS_OAUTH_SERVER
- How to Locate and Customize the OAuth Implicit Flow Redirect Screen?
- How to create secret in client app in Azure
- how to generate a bearer token for Azure api, with microsoft api
- OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?
- Unable to authenticate users using procore
- How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret