CODEWITHSUNDEEP
azure-active-directoryazure-ad-msalmsal.js
user1868744
user1868744

Reputation: 1033

Access Token do not include access for API with MSAL

I am using MSAL for JavaScript in a react app to authenticate against Azure AD. I am able to successfully authenticate user and get id token and access token. But the retrieved access token cannot access the API that is secured with Azure AD.

Everything is configured find on Azure AD side as I can use the retrieved access token to talk to the API using a dotnet core web app.

The difference between dotnet core app and react app is the "resource" attribute. I am not sure how to include that in the request with MSAL.

My React Code:

userAgentApplication = new UserAgentApplication(
    "<clientid>",
    "<azureAdUrl>",
    this.authCallback,
    { redirectUri: "http://localhost:3000/", cacheLocation: "localStorage" }
  );

  authCallback(errorDesc, token, error, tokenType) {
    if (token) console.log(token);
  }


login() {
    this.userAgentApplication.loginRedirect().then(function(idToken) {

      this.userAgentApplication.acquireTokenSilent().then(
        function(accessToken) {
          console.log('Access Token: ' + accessToken);
        }
      );
    });
  }

With a dotnet core app, I am using same configurations as both URL's configured in Azure AD app with one addition.

.AddOpenIdConnect(o =>
                {
                    ....
                    o.Resource = "GUID of the API";
                });

I am not sending this resource parameter with MSAL.Not sure how to send that and if that is that is the problem.

Any help is appreciated.

Upvotes: 1

Views: 2331

Answers (1)

Jean-Marc Prieur
Jean-Marc Prieur

Reputation: 1659

MSAL uses the notion of scopes, not resources. My impression reading your question is that this is a v1 Web API (registered with the App registration blade in the Azure portal ? if that's the case the scope for your resource is probably o.Resource+"/user_impersonation"

if it's a v2.0 API (registered with apps.dev.microsoft.com) or the Azure portal but with the New Application registration (Preview), then the scope is provided at registration

For an ASP.NET Core application you might want to have a look at the following sample: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2, and probably this branch aspnetcore2-2-signInAndCallGraph

Upvotes: 3

Related Questions