CODEWITHSUNDEEP
azure-active-directorybearer-token
Paul
Paul

Reputation: 65

Azure Active Directory - UI > API - 401 Error

Good Day,

Currently I have a single tenent with a React UI and .NET Core Apis secured by Azure Active Directory without any problems.

We have recently moved to a new Azure Tenent, new Active Directory etc. I have create two new App Registrations, one single App Service for UI and one for API. I have linked the App Service to AAD (UI = UI App Registration, API = API App Registration).

The problem is the API is getting a 401 error and I think see that in the original tenent the Bearer token is in a JWT format but in the new instance it's not, I believe it my be a graph api access key.

New Tenent: Authorization: Bearer PAQABAAAAAAD--DLA3VO7QrddgJg7WevrQvEQVbZEMD8su-tIp9k2bTFUTort7SZgeDI52P6KRYefHgtmj4YrecgUKZJ2wylGuhvIzIz642n7Sg0VMU1RwKtrzWlaMqK62CaSoJcstxiEf6 *****

Orginal Tenent: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI3OThkN2ZkOC0zODk2LTQxOGMtOTQ0Ny0wNGFlNTQ2OGFkNDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZDE3NTU3Ni03Y2Y3LTQyMDctOTA5My0wNmNiNmQyZDIwNjAvIiwiaWF0IjoxNjE2NDUyNzExLCJuYmYiOjE2MTY0NTI3MTEsImV4cCI6MTYxNjQ1NjYxMSwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhUQUFBQU9mejhPZHp *****

Please someone kindly enought to provide some guidance / input where I am going wrong.

Regards Paul.

Upvotes: 4

Views: 2173

Answers (5)

L.Vallet
L.Vallet

Reputation: 1042

Either you have to use the endpoint version 2 with this authority : https://login.microsoftonline.com/{tenant}/v2.0

Version 2 does not support the resource parameter, but scopes contain the full URI. For example: https://contoso.com/api/Employees.Read.All

Or you use the endpoint version 1 (default if you don't specify a version https://login.microsoftonline.com/{tenant}) and you have to specify an additional resource parameter. Otherwise, the access token is not a JWT.

For example, if your web API's application ID URI is https://contoso.com/api and the scope name is Employees.Read.All:

Scopes

Then, in a .NET client, you can set the OpenIdConnectOptions.Resource property.

In a JS client with oidc-client, the configuration should be :

scope: 'openid profile email Employees.Read.All',
extraQueryParams: {
  resource: 'https://contoso.com/api'
}

In App Service auth configuration, you can use additionalLoginParams

"additionalLoginParams": ["response_type=code", "resource=https://contoso.com/api"]

If you did not use a custom application ID URI, it may look like api://868662dd-3e28-4c7f-b7d5-7ec02ac9c601

Quickstart: Configure an application to expose a web API

Upvotes: 3

user21149119
user21149119

Reputation: 1

Make sure your builder follows this order...lifted from our API program.cs

These must be in order of UseRouting -> UseAuthentication -> UseAuthorisation -> MapControllers

>     app.UseRouting()
>     app.UseAuthentication()
>     app.UseAuthorization()
>     app.MapControllers()

If app.UseAuthentication and app.UseAuthorization are not in this order in statement position you Will get 401 Unauthorised as at 01/2023 .Net 6 Core.

Upvotes: 0

hostar
hostar

Reputation: 186

In my experience, this problem occurs, when you try to authorize against version 1 of the endpoint. Instead of calling

https://login.microsoftonline.com/{tenant}/oauth2/authorize

call

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

You might be required to set something like "metadata URL" in you authorization library to:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/.well-known/openid-configuration

Upvotes: 0

jetnet
jetnet

Reputation: 661

Try to follow this step: Configure App Service to return a usable access token

Upvotes: 0

Allen Wu
Allen Wu

Reputation: 16438

Firstly, the scope is incorrect.

You should Expose an API in your API App Registration and then add it as a permission in your UI App Registration. You can refer to this document.

And when you try to call the 'https://login.windows.net/{tenant}/oauth2/authorize endpoint, you need to specify the scope to include api://{app id of the API App Registration}. For example: api://{app id of the API App Registration} openid profile email. Then the access token would be for calling your API.

At last, for CORS issue, please configure the CORS as * in your web app to see if it helps.

Upvotes: 0

Related Questions