Can't authorize token from Client Credentials Authentication Microsoft AD

Question

So I have built an Application using ASP Net Core. here is my code

    services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

    services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
    {
        // This is a Microsoft identity platform web API.
        options.Authority += "/v2.0";

        // The web API accepts as audiences both the Client ID (options.Audience) and api://{ClientID}.
        options.TokenValidationParameters.ValidAudiences = new[]
        {
         options.Audience,
         $"api://{options.Audience}"
        };
    });

This setup is working fine when I using User Password Authentication. But because of some condition, I can only use client_credentials for my other application. I'm using this to get token I successfully get the token but when I'm using the token it gets me Unauthorized

Here is my API Permission that I used

And this one is my decoded token

Hi @CarlZhao, I get this error when changing the scope AADSTS500011: The resource principal named api://{clientId} was not found in the tenant named {{tenantId}}. What should I add here? — Theodorus Agum Gumilang, Sep 03 '20 at 06:35

Carl Zhao · Accepted Answer · 2020-09-03T07:03:42.127

2

Please change the scope to: api://{ClientID}/.default.

Update:

You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.

First, you need to expose the api of the application representing the web api, you can configure it according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)

This is the process of defining the manifest.

This is to grant permissions for the client application:

Finally, you can request a token for your api application:

edited Sep 03 '20 at 07:03

answered Sep 03 '20 at 04:35

Carl Zhao

8,543
2
11
19

hi so the scope is the APP URI, I'm able to retrieve the Token but it still returns Unauthorized, is it maybe because the Configure Services for the Authorization in my net core app still wrong? – Theodorus Agum Gumilang Sep 03 '20 at 08:40
@TheodorusAgumGumilang You can use the client_credentials flow to get the token, right? – Carl Zhao Sep 03 '20 at 08:47
yes I can retrieve the access token, but when I tried to add use it in my API I still get the Unauthorized response – Theodorus Agum Gumilang Sep 03 '20 at 08:49
@TheodorusAgumGumilang Would you please provide a few screenshots: 1. Use https://jwt.ms/ to parse your access token and provide screenshots. 2. Go to azure portal>App registrations>API permissions to provide a screenshot. 3. Use the token to request a screenshot of the api. – Carl Zhao Sep 03 '20 at 08:57
@TheodorusAgumGumilang You did not grant api application permission to your client application in API permissions. This permission is your customized permission, not AAD graph permission, nor MS graph permission. You can find it in "My APIs", I provide a detailed explanation in the answer. You can follow the answer I provided. – Carl Zhao Sep 03 '20 at 09:24
Hi oh sorry for my mistake, now I stuck on the last step I can't click on the Application Permissions it seems disabled – Theodorus Agum Gumilang Sep 03 '20 at 09:40
@TheodorusAgumGumilang You need to customize "appRoles" in the "manifest". There is a link in the answer I provided, you can click in and take a look. – Carl Zhao Sep 03 '20 at 09:46
@TheodorusAgumGumilang Hi,Has your problem been solved? – Carl Zhao Sep 04 '20 at 01:38
I'm still stuck here, I think now I already follow all your step above. Now I tried to change the auth type using a password but still return Unauthorized. – Theodorus Agum Gumilang Sep 07 '20 at 03:34
@TheodorusAgumGumilang Can you see your customized "appRoles" after parsing your token? – Carl Zhao Sep 07 '20 at 06:17
@TheodorusAgumGumilang Hi,has this problem been solved? how's the progress? – Carl Zhao Sep 15 '20 at 02:19
hi thanks for your concern I think now I know why its returned 401, it because my App can't validate the issuer. the issuer from client credntial is https://sts.windows.net/ and in my app, I have validate issuer setting turn on to https://login.microsoftonline.com. my workaround is in my asp net core I set the validate issuer to false. I don't know what is the best practice for that because not like audience. we can't have multiple issuer for the validation – Theodorus Agum Gumilang Sep 15 '20 at 10:03
@CarlZhao - Is this answer\screenshots still valid? I'm having similar issues but the UI for Azure AD now has an "App roles" item between "Expose an API" and "Owners" which I suspect should now be used to do the items covered by the first screenshot?? – mutex May 25 '21 at 23:01

Can't authorize token from Client Credentials Authentication Microsoft AD

1 Answers1

Linked