Authenticate to Azure API App using ADAL

4
votes

I have an Azure API App marked as "Public (authenticated)" and set up an Azure Active Directory identity in the associated gateway as detailed in Protect an API App.

I then created a native application in the same Azure Active Directory Tenant and added permission to access the Gateway in the delegated permissions.

Using ADAL and the following code, I'm able to successfully authenticate and get an access token, but I can't figure out how to use it to access my API app. 

string Tenant = "[xxx].onmicrosoft.com";
string Authority = "https://login.microsoftonline.com/" + Tenant;
string GatewayLoginUrl = "https://[gateway].azurewebsites.net/login/aad";
string ClientId = "[native client id]";
Uri RedirectUri = new Uri("[native client redirect url]");

async Task<string> GetTokenAsync()
{
  AuthenticationContext context = new AuthenticationContext(Authority);
  PlatformParameters platformParams = new PlatformParameters(PromptBehavior.Auto, null);
  AuthenticationResult result = await context.AcquireTokenAsync(GatewayLoginUrl, ClientId, RedirectUri, platformParams);

  return result.AccessToken;
}

I've tested the API app manually entering an x-zumo-auth header I get in Chrome and it works then, but not with a token I get using ADAL. I've also tried the browser forms described in their sample code which works but doesn't give me a refresh token.

How do I need to set up my authentication code so I can use a TokenCache and ADAL with my API app?

2
c#authenticationazureazure-active-directoryazure-api-apps
I have the same issue. The use of the ADAL received accessToken always gives me a 403:Forbidden response. I've tried both windows console .NET client and a Cordova client. Both the same result. No probs when API App is Public Anonymous but 403 with Public Authenticated. Did you make any progress with this issue?Mark
@Mark I decided to delay usage of the api gateway until it's better supported and used the owin openid and bearer authentication instead. It means authentication logic is back in the api app, but it works.jeffaudio

2 Answers

0
votes

Generally you pass the access token in the Authorization header when when calling a web api:

Authorization: Bearer ThisIsTheAccessTokenYouRecievedFromADAL

0
votes

You may want to use AppServiceClient to authenticate the user and invoke a protected API App endpoint. Install Microsoft.Azure.AppService SDK (-pre) Nuget package to your client project.

You can find more details in the AzureCards samples on GitHub - https://github.com/Azure-Samples/API-Apps-DotNet-AzureCards-Sample