Why isn't my Azure Mobile Service accepting the bearer token ADAL.js is sending it?

3
votes

I am using ADAL.js with implicit flow to authenticate an AngularJS app to be able to access an Azure Mobile Services API.

I have set up Azure AD identity information in the Identity tab of the AMS (azure mobile service) as follows...

The app url is set to: https://<>.azure-mobile.net/login/aad

The client id is the client id from the application set up in the Azure AD.

The allowed tenant is: <>.onmicrosoft.com

The header is included in the GET request: Authorization: Bearer eyJ0eXAiOiJKV1Qi...

But I get a 401 response from AMS.

What am I doing wrong or missing?

UPDATE: It looks like I would have to call into the AMS end point passing the Azure AD access_token to get a AMS token. And I get this response:

{"code":401,"error":"Error: Authentication with 'windowsazureactivedirectory' is not supported."}

So, I guess I will have to go with the service directed login as specified https://msdn.microsoft.com/en-us/library/azure/dn283952.aspx

Perhaps some day this will be supported for the javascript back end. But, the more I do with AMS the more it looks like I should have gone with a .net backend.

UPDATE 05/29

I changed my AMS to a .Net backend so I could use client directed flow. I am using the following code:

client.login('aad', { "access_token": sessionStorage['adal.idtoken'] })
            .done(function (results) {
                alert("You are now logged in as: " + results.userId);
                sessionStorage.X_ZUMO_AUTH = results.mobileServiceAuthenticationToken;
            }, function (err) {
                alert("Error: " + err);
            });

However, I am getting a 401 response.

UPDATE: Based on another SO issue I have created a second app in the Azure AD for the client. I have set it to allow access to the API app. I also updated my code to the following:

          adalService.acquireToken('<<AMS App Client ID>>')
            .then(function(token) {

                $http({
                        method: 'POST',
                        url: constants.apiBaseUrl + '/login/aad', 
                        data: { "access_token" : token },
                        headers: {
                            'X-ZUMO-APPLICATION': constants.appKey
                        }
                      }).                
                    success(function (data, status, headers, config) {
                        alert(data);
                    }).
                    error(function (data, status, headers, config) {
                        alert(data);
                    });                        
            });
    }

But, I still get a 401. I also tried it with the mobile sdk, still a 401.

3
azureazure-mobile-servicesadal
for the record, and completeness: 1) the right endpoint where to post is /login/aad, and not /login/windowsazureactivedirectory; but still this returns an explicit error message that POSTing an access token isn't allowed in this case. 2) when using the Mobile Service JS SDK authenticating an AAD user works correctlyMassimo Prota
Right, I was able to get the service directed authentication to work. msdn.microsoft.com/en-us/library/azure/dn283952.aspxPilotBob

3 Answers

1
votes

It looks like you're following the right steps. Could you take a look at the how to on Azure's website to see if you're missing anything? Could you share the client code you use to login?

https://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-how-to-use-client-library/#caching

1
votes

My suspicion is that the 401 comes from the fact that ADAL.JS is presenting an ID token which is different in structure from the access token which Mobile Services expects. The client directed flow in Mobile Services was built around the earlier ADAL clients for native mobile platforms, and these have full access tokens that they can present.

One of the main things that Mobile Servicer checks for in the access token is that the audience of the token is the /login/aad endpoint, but this is not true of ID tokens.

Based on what I am seeing, I do not think ADAL.JS is supported by Mobile Services at this time. It doesn't appear that you can get the access token needed for the client-directed flow. Your best bet is to use the server flow, which it sounds like you have working.

0
votes

Due to another SO member who posted a blog on how to do this exact thing...

http://blogs.if-blueprint.de/svenor/2015/06/19/authenticate-azure-mobile-service-app-adal-js/

...which pointed to a link that allowed me to solve it.

My problem was that the app id url on the client AAD application was not in a verified domain on the Azure Active Directory. I was using https://mysite.azurewebsites.net.

When I changed it to a url that was in the domain https://mydomainname.onmicrosoft.com/myappname then it just worked like magic.