Reputation: 80
Web API on-behalf-of adal id_token error
I have created a Web API in Azure. This Web API makes some calls in SharePoint Online. Some of the api calls are on-behalf-of.
This Web API works fine until 01.05.2018 - and it works fine on old app services, which were created before 01.05.2018.
A microsoft staff member said:
As part of our security hardening efforts we do not allow id_token redemption for any application created after 2018-05-01 00:00:00.
During the log in process of adal, I got the id_token. The id_token has got the same value as the access_token:
When I call the web api, I will send this token as bearer token. The Web API takes this token (string accessToken) and starts the method 'AcquireTokenAsync':
var clientID = ConfigurationManager.AppSettings["ClientID"];
var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
var tenant = ConfigurationManager.AppSettings["Tenant"];
var appCred = new ClientCredential(clientID, clientSecret);
var authContext = new AuthenticationContext(
"https://login.microsoftonline.com/" + tenant);
var resource = new Uri(sharePointUrl).GetLeftPart(UriPartial.Authority);
var authResult = await authContext.AcquireTokenAsync(resource, appCred,
new UserAssertion(accessToken));
return authResult.AccessToken;
But in the line which calls 'AcquireTokenAsync' I have got the error message:
AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant
But where is the problem?
Upvotes: 1
Views: 951
Answers (1)
Reputation: 58733
The problem is that you use the same application identity in the front-end and back-end, and MS does not allow you to use the Id token (which you use as an access token here because of the former) to get another access token.
A possible solution:
- Register another application (the front-end JS app should be a Native app)
- It should acquire an access token for your back-end API using either the API's client id or app Id URI as the resource
- Then the API can exchange the access token for another access token
If this is a multi-tenant app, the migration is probably not going to be easy. If it's single-tenant, then all should be possible. Your front-end app should of course require permission to call your back-end API in Azure AD, and that permission should be granted.
Another solution would be to acquire the other access token in the front-end using ADAL.JS instead of using on-behalf-of in the back-end and attaching that to all API requests in addition to the Id token.
Upvotes: 1
Related Questions
- ASP.NET Web API authorized using Azure AD: Authorization has been denied
- Azure AD API request 401 Unauthorized
- ASP.NET Web API - How to acquire access token in Azure AD's token URL
- MSAL Error message AADSTS65005 when trying to get token for accessing custom api
- Not getting the Token in Azure API Apps - ADAL
- Azure AD authentication token fails web api authorization
- How to get On-Behalf-Of-User token in .NET using ADAL
- Azure Active Directory Token
- Azure API Apps Access Token (ADAL) not working
- Unable to get bearer token from AAD to consume Web API