HTTP/1.1 401 Unauthorized - Developer portal
I am creating oauth2 authorization server using flowing these steps in the link https://azure.github.io/apim-lab/apim-lab/7-security/security-7-2-3-oauth2-authorization-grant-flow.html.
I have created a backend app and registered a client app, Also have created oauth2 server in client app and configure API to use server.
I get error on developer portal
Has anyone faced this kind of issue? Is there something I am missing?
I have five backend apps and want to create only one oauth2 server for all backend apps. I have added client app id into backend app's Expose an API -> Add Client application and in backend app ids in client app's API permissions -> Add a permissions. I have also added client app id in an audiences(APIM policy) in open api specs. While creating oauth2 server I have tried given api://client-app-id/.default but it throws an error
{ "code":"Unauthorized","message":{"error":"invalid_request","error_description":"AADSTS90009: Application 'client-app-id' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier. Trace ID: 794afd03-1bc0-47dc-aa7f-2ec71e9f2500 Correlation ID: 9c520cd6-f0a3-4b86-9c7a-14975246d845 Timestamp: 2024-08-22 17:35:06Z","state":"3972be93-8884-4dac-e0b3-59d861f49d56"}}
I don't want to use GUID. Does anyone know how to create only one oauth2 server for all the backend apis?
- Follow each steps given in this Lab clearly, create two multi tenant apps as mentioned in the link.
- Create a scope in backend app and then add frontend app in Add a client application. By doing this, you don't need to pass the audiences of both the apps in validate-jwt policy instead you will access the backend app via frontend app.
- Grant permission to the backend app in frontend app.
- Enable OAuth 2.0 in Azure APIM and provide all the frontend app details. Specify default scope as {frontend app's client id}/.default.
- Add the given policy in your API.
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{Frontend App ClientID}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/{tenantID}/</issuer>
</issuers>
</validate-jwt>
</inbound>
</policies>
- Link the OAuth 2.0 to the API by navigating to API -> Settings and then, publish the changes to the developer portal. When you will choose Authorization flow as authorization_code in developer portal, you should below pop up.
- You will get expected 200 OK response.
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?