CODEWITHSUNDEEP
asp.net-web-apiazure-active-directory
user3376642
user3376642

Reputation: 527

Secure web api with AAD -Authorization has been denied for this request

I use an angularJS web application to login to azure => this part is working.

But when I try to access an authorized controller in my web app, I receive the "Authorization has been denied". While the authorization bearer token has been sent to the web API

my Startup.Auth.cs

public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
               ConfigurationManager.AppSettings["ida:Audience"]
                },
            });
    }

ApiController

 [Authorize]
public class ValuesController : ApiController
{
    // GET api/values
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

Error:

<Error>
<script/>
  <Message>Authorization has been denied for this request.</Message>
</Error>

Response Header:

VzViQXBwbGljYXRp 
b245XGFwaVx2YWx1ZXM=?=

Upvotes: 1

Views: 1060

Answers (1)

Bruce Chen
Bruce Chen

Reputation: 18465

AFAIK, we would leverage adal.js and adal-angular.js in the Angular JS application to authenticate users and get tokens in the client side. Details you could follow the tutorials Azure AD AngularJS getting started and Integrating Azure AD into an AngularJS single page app to narrow this issue.

But when I try to access an authorized controller in my web app, I receive the "Authorization has been denied". While the authorization bearer token has been sent to the web API.

If you manually enable the middleware to validate the token, you need to make sure that you have correctly configured the WindowsAzureActiveDirectoryBearerAuthenticationOptions.Audience or TokenValidationParameters.AllowedAudience(s) which would be compared with the aud property from the incoming JWT token. You could press F12 when browsing your app and trace the Network or use Fiddler to capture your bearer token, then use https://jwt.io/ to decode your token.

Moreover, if you use the built-in Authentication and authorization in Azure App Service for your backend web app, you need to correctly configure the Client ID or ALLOWED TOKEN AUDIENCES for AD authentication under the Authentication / Authorization blade of your app service app.

Upvotes: 1

Related Questions