0

I have an Azure app service X(which has an ASP.NET web api project published to it) that I have configured with Y AAD app thru Advanced Authentication(using Y's client id in it). Now I also have another Z AAD app, which I want to use in OAuth 2.0 flow of POSTMAN.

The problem is when I'm providing Y's client id and resource id as Y's application id URI, I'm getting "Client is requesting token for itself." To avoid this I am replacing resource id with Application(client) id(the GUID) and it works find. Why?

Also, if I use Z's client id and Y's resource id URI, it doesnt work but it works when I use the GUI. So why is the application id URI required, what is the point of it if I can't use it?

Prasanjit Rath
  • 166
  • 2
  • 13

1 Answers1

0

I think you may be misunderstanding something. lets be a little more concrete. lets simplify a bit, you have WebAPI A with App Registration A. and you have a Client App Registration B.

First you set up WebAPI A to do whatever it needs, if it needs access to graph for example, then in API Permissions, you give it that access. then you either set up WebAPI A with an app secret or user flow Finally you go to expose an API which is where the Application ID URI comes in, this is ONLY to allow Client B to access webAPI A. You only set this in App Reg A, you do not enter anything regarding this into WebAPI App Service. You do not need resource IDs in your web api, unless you are trying to access other apis, like graph for example.

then say you are trying to get Client B to use the webAPI, so in your App Registration B, you add an API Permission -> My APIs -> Select the scope you created just before. then in Client B, that is where you set resource IDs, because you need to get a token that has access to web API.

I hope that clarifies a bit for you. also here's a sample of a simple client to webapi flow, it's not 100% identical to yours since you're on an app service, but its essentially the same. https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi

alphaz18
  • 2,610
  • 1
  • 5
  • 5
  • My task is to access my own api which I hosted in web service, why do I need to give permission to graph API in aad app, how do I know I need it's services? – Prasanjit Rath Jun 02 '20 at 03:15
  • if your task is to just access your own api, then in your api, there is no need to configure application resource uri in the web api application, all you do is expose an api on the app registration A, and in request the scope from Application B. "expose an API" section is for something external to access your app service api, its not for your app service webapi to access itself. – alphaz18 Jun 02 '20 at 03:34
  • What I'm not getting also is, for AAD app the application id(client id) and application uri are the same thing right? – Prasanjit Rath Jun 02 '20 at 04:39
  • they are 2 pretty different things. application id is a guid. looks something like this: xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx, it's used to talk to the app registration, allows your apps / apis whatever to tell azure which app registration you are trying to authenticate against. . where as an application uri is a idfferent kind of identifier for exposing api scopes, usually you generate one when you click on expose an api in the app registration, it looks like api://xxxxxxxxxxxxxxxxx, its basically used for granting access to other apis or from other clients. – alphaz18 Jun 02 '20 at 05:01