azureazure-active-directoryazure-ad-msalmicrosoft-entra-idazure-entra-id

Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails


I have created an ASP.NET Core Web API and registered it in EntraID and configured it in my program.cs as follows:

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddAuthorization();

Then I have registered another app in the EntraId and configured the code in the console application as follows:

var app = ConfidentialClientApplicationBuilder
               .Create(appId)
               .WithClientSecret(appSecret)
               .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
               .Build();

var result = app.AcquireTokenForClient(new[] { $"api://{apiAppId}/.default" })
               .ExecuteAsync();

result.Wait();

var client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.Result.AccessToken);

var response = client.GetAsync(endpointUrl);
            response.Wait();

Further, I also configured the app registration with a scope named "xxx.read" and added the client application under the Authorized clent applications of Expose an API settings.

When the console application calls the web api, web api throws the following error.

Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: 'Bearer'. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: 'Bearer'. dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0] Policy authentication schemes did not succeed Microsoft.AspNetCore.Authorization.AuthorizationMiddleware: Debug: Policy authentication schemes did not succeed info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService2 Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user. Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user. info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12] AuthenticationScheme: Bearer was challenged. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.

Expose an API - of the api app

API Permisions of client app

Am I missing anything?


Solution

  • Note that: Delegated API permissions work only for user interactive flow. As you are making use of ConfidentialClientApplicationBuilder you need to create app roles and grant application type API permissions.

    In the API application, expose an API and create app role:

    enter image description here

    In the RukAppClient application, grant API permission:

    enter image description here

    Generate the token:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    client_id : ClientID
    scope : https://graph.microsoft.com/.default
    client_secret : ClientSecret
    grant_type : client_credentials
    

    enter image description here

    When decoded the role claim will be present in the token successfully:

    enter image description here