Reputation: 467
Azure AAD authentication for Web API giving 401 with message invalid_grant
i am calling an external REST API which uses AAD based authentication I am using the access token generated for a service principal (app registration) in my tenant and I have granted appropriate permission/admin consent to my app on the permission defined by external API.
i generate the access token using endpoint "https://login.microsoftonline.com/{aadtenantId}/oauth2/token" and grant_Type of client_credentials and appropriate audience.
external API is using WindowsAzureActiveDirectoryBearerAuthenticationOptions(doc) to validate the incoming token.
when I call API with above token it returns 401 with message “Invalid authorization bearer is passed (invalid_grant)”.
how can i know what is the option in WindowsAzureActiveDirectoryBearerAuthenticationOptions that controls the grant_type to be validated for token. trying to understand what is the grant_type external API has configured to allow. I have the access to source code of external API, and i don't see anything in the code that controls/validate grant_type.
Upvotes: 0
Views: 2714
Answers (1)
Reputation: 15574
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and Exposed the API:
I generated the Access Token with below parameters:
GET https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
resource:api://ClientID
To validate the token, make sure to configure the UseWindowsAzureActiveDirectoryBearerAuthentication class like below:
public class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
private void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = "TenantURL", //XXX.onmicrosoft.com
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = "ApplicationIDURL" //api://ClientID
}
});
}
The error "401 Invalid authorization bearer is passed (invalid_grant)" usually occurs if you are passing wrong/invalid resource or scope. Try generating the token with valid resource and try.
If still the issue persists, try using v2.0 Endpoint to generate the token like below:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
scope:api://ClientID/.default
Upvotes: 0
Related Questions
- ASP.NET Web API authorized using Azure AD: Authorization has been denied
- Azure AD API request 401 Unauthorized
- Secure web api with AAD -Authorization has been denied for this request
- Web API (.NET Framework) Azure AD Authentication always returns 401 Unauthorized
- Azure AD: Calling web API gives error 401
- Azure AD authentication token fails web api authorization
- Service authorization with AAD
- 401 error when authenticating to an Azure API App using AAD
- Authentication for web api using azure AD
- Unable to get bearer token from AAD to consume Web API