0

I have a Web Api that calls OAuth 2.0 to get accesss token

    var content = new FormUrlEncodedContent(new[]
        {
            new KeyValuePair<string, string>("client_id", _configuration["ClientId"]),
            new KeyValuePair<string, string>("grant_type", "refresh_token"),
            new KeyValuePair<string, string>("refresh_token", _configuration["RefreshToken"]),
            new KeyValuePair<string, string>("scope", "openid Mail.Send offline_access")
        });

        var tenantId = _configuration["TenantId"];

        try
        {
            var response = await _httpClient.PostAsync($"{tenantId}/oauth2/v2.0/token", content);

            var status = (int)response.StatusCode;

            if (status == 200)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                var refreshTokenResponse = JsonSerializer.Deserialize<RefreshTokenResponse>(responseString);

                return refreshTokenResponse.AccessToken;
            }

            throw new Exception("Status " + status + " Content " + response?.Content +
                                " ReasonPhrase " + response.ReasonPhrase + 
                                " RequestMessage " + response.RequestMessage );

This code works perfectly fine when i run it locally even without the scope. The same code fails when deployed to Azure (Azure App Service). Even the postman call works fine with or without scope.

The response contains below message {"error":"invalid_grant","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance

I tried checking the document https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token

It is unclear why it works when i debug from my local machine and postman direct call but not from Azure app service.

Any help will be highly appreciated

Ecstasy
  • 1,866
  • 1
  • 9
  • 17
Gauls
  • 1,955
  • 6
  • 28
  • 44
  • 2
    Have you looked in the Azure portal: Azure AD tenant > Conditional Access for a policy that might be interfering the (deployed) web application? – Melissa Aug 07 '21 at 23:54

1 Answers1

1

Have you checked this "Azure AD tenant > Conditional Access for a policy that might be interfering the (deployed) web application?" as suggested by Melissa

You can also try the following workaround:

Access token request with a certificate

POST /{tenant}/oauth2/v2.0/token HTTP/1.1               // Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
&grant_type=client_credentials

You can refer to Token access blocked when posting request from published Azure function, Refresh token for user with CA Policy applied in Azure AD failed, Conditional Access Policy and GitHub open issue at AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Ecstasy
  • 1,866
  • 1
  • 9
  • 17
  • 1
    I have manged to resolve this using the link here https://learn.microsoft.com/en-us/graph/auth-v2-user. Unfortunately i am getting error while submitting my answer will try again later. – Gauls Sep 06 '21 at 19:15