I have created an ASP.NET Core Web API and registered it in EntraID and configured it in my program.cs
as follows:
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization();
Then I have registered another app in the EntraId and configured the code in the console application as follows:
var app = ConfidentialClientApplicationBuilder
.Create(appId)
.WithClientSecret(appSecret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
.Build();
var result = app.AcquireTokenForClient(new[] { $"api://{apiAppId}/.default" })
.ExecuteAsync();
result.Wait();
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.Result.AccessToken);
var response = client.GetAsync(endpointUrl);
response.Wait();
Further, I also configured the app registration with a scope named "xxx.read" and added the client application under the Authorized clent applications of Expose an API settings.
When the console application calls the web api, web api throws the following error.
Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: ‘Bearer’.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: ‘Bearer’.
dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0] Policy authentication schemes did not succeed
Microsoft.AspNetCore.Authorization.AuthorizationMiddleware: Debug: Policy authentication schemes did not succeed
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService2
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12] AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.
Am I missing anything?
2
Answers
A delegated permission is only used when a user is involved in the authentication. In your case only the app is there. So you need an app role / application permission. That one will be in the roles claim of the token.
In the
API
application, expose an API and create app role:In the
RukAppClient
application, grant API permission:Generate the token:
When decoded the role claim will be present in the token successfully: