4

Good Day,

Currently I have a single tenent with a React UI and .NET Core Apis secured by Azure Active Directory without any problems.

We have recently moved to a new Azure Tenent, new Active Directory etc. I have create two new App Registrations, one single App Service for UI and one for API. I have linked the App Service to AAD (UI = UI App Registration, API = API App Registration).

The problem is the API is getting a 401 error and I think see that in the original tenent the Bearer token is in a JWT format but in the new instance it's not, I believe it my be a graph api access key.

New Tenent: Authorization: Bearer PAQABAAAAAAD--DLA3VO7QrddgJg7WevrQvEQVbZEMD8su-tIp9k2bTFUTort7SZgeDI52P6KRYefHgtmj4YrecgUKZJ2wylGuhvIzIz642n7Sg0VMU1RwKtrzWlaMqK62CaSoJcstxiEf6 *****

Orginal Tenent: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI3OThkN2ZkOC0zODk2LTQxOGMtOTQ0Ny0wNGFlNTQ2OGFkNDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZDE3NTU3Ni03Y2Y3LTQyMDctOTA5My0wNmNiNmQyZDIwNjAvIiwiaWF0IjoxNjE2NDUyNzExLCJuYmYiOjE2MTY0NTI3MTEsImV4cCI6MTYxNjQ1NjYxMSwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhUQUFBQU9mejhPZHp *****

Please someone kindly enought to provide some guidance / input where I am going wrong.

Regards Paul.

Improve this question
9
  • have you tried sending the authentication call via Fiddler and reading the raw response? I wonder if there are any interesting details in there except a bare 401... Commented Mar 22, 2021 at 23:01
  • Not really, only getting the following "You do not have permission to view this directory or page." If I turn off Auth for API, everything works as expected. Commented Mar 22, 2021 at 23:11
  • I see. I suggest that you share your request url/body/query string or code if using a client library, so we know what endpoint are you calling. Commented Mar 22, 2021 at 23:13
  • In your original (pre-migration) domain setup - did you have two AD applications - one for the app and one for the API ? Or did you have one AD app for both. Commented Mar 22, 2021 at 23:23
  • I created the post migration the same as the original (but this was done by someone else) so there are two app registrations, one for ui and one for api. Commented Mar 22, 2021 at 23:33

5 Answers 5

Reset to default
3

Either you have to use the endpoint version 2 with this authority : https://login.microsoftonline.com/{tenant}/v2.0

Version 2 does not support the resource parameter, but scopes contain the full URI. For example: https://contoso.com/api/Employees.Read.All

Or you use the endpoint version 1 (default if you don't specify a version https://login.microsoftonline.com/{tenant}) and you have to specify an additional resource parameter. Otherwise, the access token is not a JWT.

For example, if your web API's application ID URI is https://contoso.com/api and the scope name is Employees.Read.All:

Scopes

Then, in a .NET client, you can set the OpenIdConnectOptions.Resource property.

In a JS client with oidc-client, the configuration should be :

scope: 'openid profile email Employees.Read.All', extraQueryParams: { resource: 'https://contoso.com/api' }

In App Service auth configuration, you can use additionalLoginParams

"additionalLoginParams": ["response_type=code", "resource=https://contoso.com/api"]

If you did not use a custom application ID URI, it may look like api://868662dd-3e28-4c7f-b7d5-7ec02ac9c601

Quickstart: Configure an application to expose a web API

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Firstly, the scope is incorrect.

You should Expose an API in your API App Registration and then add it as a permission in your UI App Registration. You can refer to this document.

And when you try to call the 'https://login.windows.net/{tenant}/oauth2/authorize endpoint, you need to specify the scope to include api://{app id of the API App Registration}. For example: api://{app id of the API App Registration} openid profile email. Then the access token would be for calling your API.

At last, for CORS issue, please configure the CORS as * in your web app to see if it helps.

Improve this answer

Comments

0

Try to follow this step: Configure App Service to return a usable access token

Improve this answer

Comments

0

In my experience, this problem occurs, when you try to authorize against version 1 of the endpoint. Instead of calling

https://login.microsoftonline.com/{tenant}/oauth2/authorize

call

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

You might be required to set something like "metadata URL" in you authorization library to:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/.well-known/openid-configuration
Improve this answer

Comments

0

Make sure your builder follows this order...lifted from our API program.cs

These must be in order of UseRouting -> UseAuthentication -> UseAuthorisation -> MapControllers

> app.UseRouting() > app.UseAuthentication() > app.UseAuthorization() > app.MapControllers()

If app.UseAuthentication and app.UseAuthorization are not in this order in statement position you Will get 401 Unauthorised as at 01/2023 .Net 6 Core.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.