0

I have a web-api on Azure that requires authorization and I am using Azure AD to authenticate accounts and generate access tokens.

I can successfully acquire access tokens from Azure AD with ADAL for the same account in two different ways, but only one of them is authorized by the web-api, the other one fails.

The following is authenticating an account interactively and the token is authorized by the web-api

result = AuthenticationContext.AcquireTokenAsync(resource, clientId, redirectUri, new PlatformParameters(PromptBehavior)).Result;

where resource is web-api application id (guid).

The following is authenticating an account non-interactively with a given user name and password, but the token is not authorized by the web api

UserPasswordCredential cred = new UserPasswordCredential(userName, password);
result = AuthenticationContext.AcquireTokenAsync(resource, clientId, cred).Result;

where resource = https://{tenant}/{api name}.

The web-api call is as follows:

HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await httpClient.GetAsync(ApplicationCallUri);

Both ways return identical AuthenticationResult objects (apart from tokens and time stamps) and I cannot see why authorization fails for the second one.

The web-api response is "Authorization has been denied for this request."

Since authentication succeeds for both ways, I assume it must be something with at the web-api's side. Help is much appreciated. Thanks.

Improve this question
2
  • Check the token aud claim (audience). It needs to be one of the valid audiences configured for the API. That's what the resource defines. Also, I'd stay away from handling user passwords yourself if possible. If the user has MFA for example, it won't work. Commented May 29, 2019 at 10:19
  • the resource in the second case that fails is the web-api's Application ID URI. Any other value there fails the authentication process. Commented May 29, 2019 at 11:43

1 Answer 1

Reset to default
1

Thanks to juunas who pointed out the audience parameter I realized that the web api was set to expect tokens for only one the two audience values. I added a second option for bearer authentication and it works for both scenarios.

Thank you juunas!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.