1

I am trying to connect to API through Client AAD details(clientid,client secret) using "client_credentials" grant_type, I am able to fetch the token with API scope but when I use that token to retrieve API results, I am getting 401 unauthorized error.

I am trying to understand what kind of permissions are required on API AAD for Client AAD to accept the token. Please help me to understand this.

Following are the permissions on both AAD :

API AAD:

User.Read - > Delegated - > Sign In and read user profile

Client AAD:

User impersonation - > Delegated - > FOR API AAD

Microsoft Graph - Delegated,Application ->User.Read.All

Thanks,

Deepak.

Deepak Reddy
  • 13
  • 3
  • Which API you are trying to reach? – Md Farid Uddin Kiron Jun 15 '20 at 07:44
  • Are you going to access the "profile" api? https://learn.microsoft.com/en-us/graph/api/resources/profile-example?view=graph-rest-beta – Carl Zhao Jun 15 '20 at 08:43
  • Please check if you have a valid access token for this API.https://learn.microsoft.com/en-us/azure/marketplace/cloud-partner-portal-orig/cloud-partner-portal-api-troubleshooting-authentication-errors – Carl Zhao Jun 15 '20 at 10:56
  • If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-workThis can be beneficial to other community members. Thank you. – Carl Zhao Jun 19 '20 at 11:21

1 Answers1

1

If you use Client Credential flow to obtain an access token, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).

Before that, you need to understand the difference between delegated permissions and application permissions:

Application permissions allow an application in Azure Active Directory to act as it's own entity, rather than on behalf of a specific user.

Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.

Then you need to define the application permissions by editing the list of api applications.here is an example.

Refer to this document and use Client Credential flow to get access tokenhere:

1.First you need to get the administrator's consent:

GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions

enter image description here

2.Then you can get the access token by sharing the secret:

POST /{tenant}/oauth2/v2.0/token HTTP/1.1           //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

enter image description here

Parse the token and you will see your custom roles: enter image description here

Okay, now you can use the token to access your resources.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks for the above details, sorry if my question was not clear, what all I am trying to do is, I have 2 AAD's, 1 API AAD, 1 Client AAD, there are two applications api and client which are associated to their respective AAD's. Now all I am trying to do is, by using the client's AAD ( client id and secret) I am generating a token for scope of API URL, If I use this token to call the API through postman, I am getting 401 unauthorized – Deepak Reddy Jun 15 '20 at 19:04
  • @DeepakReddy Hi,can you use https://jwt.ms/ to parse your access token and provide screenshots? – Carl Zhao Jun 16 '20 at 02:20
  • @DeepakReddy Can you provide your "Api"? – Carl Zhao Jun 16 '20 at 07:18
  • using Client Credentials grant type - https://i.stack.imgur.com/tPGuj.png , using user logged in token - https://i.stack.imgur.com/astsn.png , the second one works fine but the token of client credentials doesn't work – Deepak Reddy Jun 16 '20 at 09:21
  • @DeepakReddy There is no scope ("scp") in the first token. Lack of access to the API permission. – Carl Zhao Jun 16 '20 at 09:45
  • can you see this https://i.stack.imgur.com/IOeGV.png I am using the scope string[] scopes = new string[] { "https://deepak39api.azurewebsites.net/.default" }; to generate the token and full permissions are there for the client on the API – Deepak Reddy Jun 16 '20 at 10:32