HTTP/1.1 401 Unauthorized - Developer portal
I am creating oauth2 authorization server using flowing these steps in the link https://azure.github.io/apim-lab/apim-lab/7-security/security-7-2-3-oauth2-authorization-grant-flow.html.
I have created a backend app and registered a client app, Also have created oauth2 server in client app and configure API to use server.
I get error on developer portal
Has anyone faced this kind of issue? Is there something I am missing?
I have five backend apps and want to create only one oauth2 server for all backend apps. I have added client app id into backend app's Expose an API -> Add Client application and in backend app ids in client app's API permissions -> Add a permissions. I have also added client app id in an audiences(APIM policy) in open api specs. While creating oauth2 server I have tried given api://client-app-id/.default but it throws an error
{ "code":"Unauthorized","message":{"error":"invalid_request","error_description":"AADSTS90009: Application 'client-app-id' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier. Trace ID: 794afd03-1bc0-47dc-aa7f-2ec71e9f2500 Correlation ID: 9c520cd6-f0a3-4b86-9c7a-14975246d845 Timestamp: 2024-08-22 17:35:06Z","state":"3972be93-8884-4dac-e0b3-59d861f49d56"}}
I don't want to use GUID. Does anyone know how to create only one oauth2 server for all the backend apis?
- Follow each steps given in this Lab clearly, create two multi tenant apps as mentioned in the link.
- Create a scope in backend app and then add frontend app in Add a client application. By doing this, you don't need to pass the audiences of both the apps in validate-jwt policy instead you will access the backend app via frontend app.
- Grant permission to the backend app in frontend app.
- Enable OAuth 2.0 in Azure APIM and provide all the frontend app details. Specify default scope as {frontend app's client id}/.default.
- Add the given policy in your API.
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{Frontend App ClientID}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/{tenantID}/</issuer>
</issuers>
</validate-jwt>
</inbound>
</policies>
- Link the OAuth 2.0 to the API by navigating to API -> Settings and then, publish the changes to the developer portal. When you will choose Authorization flow as authorization_code in developer portal, you should below pop up.
- You will get expected 200 OK response.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database