I secured some of my ASP.NET Web API using Azure AD as you can see in the code screenshot below:
The strange thing is that sometimes when calling the API in parallel (bulk calls) the client gets an error:
Authorization has been denied for this request
I am unable to detect why it happens only sometimes even if the client re-tries the call with another access token. Is there a way to find/debug the exact reason why? It is maybe because I need to resize the Web/DB(DTU) servers?
Please try to Enable PII logging in the startup.cs file in configure services method to check for the proper error.
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseHsts(); } // Enable PII logging Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; app.UseHttpsRedirection(); app.UseAuthentication(); app.UseMvc(); ... } This error: Authorization has been denied for this request usually occurs when there is audience mismatch or when the audience doesn’t match the one web api is expecting which is set in ValidAudience . The audience can be appid or appIdUri according to the application.
So in place validAudience, please use tokevalidationparameters.validaudiences or ValidAudiences to add both the clientID and the AppIdURI (ap://<appIdUri>) in place of AUDIENCE1 and AUDIENCE2
ValidateIssuer = true, ValidAudiences = new List<string> { "AUDIENCE1", "AUDIENCE2" } with such configuration, the api call can be validated for both the cases.
ValidateAudience=true validates if the recipient of the token is authorized to receive .According to the requirement, you may consider them or bypass them if not needed to validate .see this.