CODEWITHSUNDEEP
c#wpfazureasp.net-web-apiazure-ad-msal
scottsanpedro
scottsanpedro

Reputation: 1192

Authorization has been denied for this request - Desktop to ASP.NET Web API

I have been banging my head against a wall for some time now. Desktop WPF app calling a ASP.NET Web API. I am using the [AUTHORIZE] annotation on the ASP.NET app. This is where the problems have started. Using MSAL from the WPF app.

static App()
    {
        _clientApp = PublicClientApplicationBuilder.Create(ClientId)
            .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
           .WithDefaultRedirectUri()
            .Build();            
    }

ClientId refers to the app registration of the desktop app in Azure.

 string[] scopes = new string[] { "api://****-f56f-4cec-a771-dbdb5d43f047/access_as_user" };

                var accounts = await App.PublicClientApp.GetAccountsAsync();
                AuthenticationResult authResult;
                try
                {
                    authResult = await App.PublicClientApp
                        .AcquireTokenSilent(scopes, accounts.FirstOrDefault())
                        .ExecuteAsync();
                }
                catch (Exception)
                {
                    authResult = await App.PublicClientApp
                        .AcquireTokenInteractive(scopes)                           
                        .ExecuteAsync();

                }

App registration for the web api is also there. I have set up the scope via 'Expose an API' and given delegated permission to the desktop app to call into the web api.

When I call in I get

StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers

I can call a non AUTHORIZE endpoint no problem, so the api is working fine. I have endlessly been through the MSAL documentation.

Things I am unsure about. AppRoles in the manifest. Do they need to be authorised anywhere apart from adding to the manifest? Do I leave App Service (Web api) as 'Anonymous access is enabled on the App Service app. Users will not be prompted for login.' Is MSAL taking care of that. I am assuming you can either use MSAL code or secure the api via AD (Authenication/Authorization)

I have dug myself in a hole and can see out right now, so excuse me a little. Thanks

Upvotes: 1

Views: 1056

Answers (1)

alphaz18
alphaz18

Reputation: 2756

please take a look at: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-configure-with-advanced-settings

at the top of that document there is a note saying: 

Note
The express settings flow sets up an AAD V1 application registration. If you wish to use Azure Active Directory v2.0 (including MSAL), please follow the advanced configuration instructions.

basically means that you can't really use msal with the express setup. but can with advanced.

then the section under it describes what you need to do for a desktop app in terms of adding api permissions to your app service.

Hopefully this puts you a bit on the right track, if not please comment further and i will try to help as much as possible.

Upvotes: 1

Related Questions