Client Secret not included in Access Token

Question

We use MSAL and Azure AD for authentication.

We have a client and several microservices (that are not hosted in Azure)

The calls from the client to the microservices work fine. But we need also to make calls between the microservices. We are trying to do this using a token that uses a client secret, with the following code:

var app = ConfidentialClientApplicationBuilder
        .Create(clientId)
        .WithClientSecret(clientSecret)
        .WithAuthority(authority)
        .Build();

    var aquireTokenForClientParameterBuilder = app.AcquireTokenForClient(scopes);

    var token = await aquireTokenForClientParameterBuilder.ExecuteAsync();

When we try to call the service it fails with:

    WwwAuthenticate {Bearer error="invalid_token"}

When I look in the token with jwt.io, I cannot see that the client secret is in the token.

Any ideas how to fix this, or an alternative way to call between services?

Answer 1

In your scenario(you have a client + several micro services), you authenticated in the client and use the access token to call your service, and now you want to make your service to call another service, you should use on-behalf-flow here.

The whole flow can be understood as, in the server side, using request below to generate a new access token and use it to send request to another service.

POST /oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com/<tenant>
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
client_id={azure_ad_app_id}
&client_secret={client_secret}
&assertion={access token to this request}
&scope={scope}
&requested_token_use=on_behalf_of

And if the micro service is an asp.net core app, then it should integrate Microsoft.Identity.Web in the application, and we can use var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "api://xx/scope_name" }); to generate the on-behalf-of token.