Unable to get bearer token from AAD to consume Web API

Question

I am attempting to secure my Web API applications such that only specific users and applications can consume the services. I have followed many different instructions that have suggested that I have the following code to authenticate (I have simplified this to be easily reproducible in a Console application):

class Program
{
    private const string ServicesClientId = "11111111-1111-1111-1111-111111111111";
    private const string ClientId = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa";
    private const string ClientKey = "abcdefghijklmnopqrstuvwxyz1234567890=";
    private const string AadLoginUri = "https://login.windows.net/{0}";
    private const string TenantId = "example.onmicrosoft.com";

    private static readonly string Authority = string.Format(CultureInfo.InvariantCulture, AadLoginUri, TenantId);

    static void Main(string[] args)
    {
        var clientCredential = new ClientCredential(ClientId, ClientKey);
        var context = new AuthenticationContext(Authority, false);

        // This line fails!
        var appAuthResult = context.AcquireToken(ServicesClientId, clientCredential);
        // AADSTS50105: Application 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not
        // assigned to a role for the application '11111111-1111-1111-1111-111111111111'.

        var appAuthTokenProvider = new ApplicationTokenProvider(context, "https://example.azurewebsites.net", clientCredential, appAuthResult);
        var tokenCreds = new TokenCredentials(appAuthTokenProvider);

        Console.WriteLine(tokenCreds.ToString());
        Console.ReadLine();
    }
}

So this code works beautifully as long as user assignment is disabled but the moment that user assignment is enabled (and you wait a minute as it doesn't appear to be effective instantly even though it says it was successfully enabled), it fails.

I receive the following error:

AADSTS50105: Application 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not assigned to a role for the application '11111111-1111-1111-1111-111111111111'.

What must I do to get this to work?

I have tried and tried all sorts of things to get this to go away without luck. Things I have tried:

Adding the default "Access MyWebAPI" permission from my registered client to the registered Web API project
Changing the manifest for the Web API application to add an App Role: { "allowedMemberTypes": [ "Application" ], "displayName": "Universal App Client", "id": "c27e3fa1-e96a-445c-aaf7-8cbb60cca980", "isEnabled": true, "description": "Application Consuming all Services.", "value": "AppClient" } and then setting the Application Permission (on the registered consuming application) to have this new "Universal App Client" permission.
Changing the manifest for the Web API application to add the consuming application's Client ID under the knownClientApplications array.
I have reprovisioned my Web API application several times in case I goofed it up via the troubleshooting process but I always end up
Patting my head while rubbing my stomach.

I'm not sure what to try next.

For reference purposes, here is my packages.config file:

This question is similar to this other question but the answer to that question (reprovision & redeploy it) does not work for me, as mentioned above.

Fei Xue · Accepted Answer

I could reproduce this issue too. I found when I grant the application role the web API, the role maybe not granted as expected. Here is figure for your reference:

As a workaround to limit the users and applications, we can code it in the web API to implement the token handler ourselves. For example, we can config the allowed users, applications and then parse the access token to retrieve the appid and upn to verify it. More detail about custom token handler, you can refer this thread.

And for the original issue, I am also trying to report it internally.

Unable to get bearer token from AAD to consume Web API

Answers (1)

Related Questions