How to get access token for web api from native app in other tenant?

1
votes

I've created a multi tenant Web API that works just fine. Now I want to build a native client for testing. The Web API app is defined in one tenant (webapitenant). The test app is defined in another tenant (clienttenant) that has given admin consent to the Web API.

I've added the testClientId as a knownClientApplication in the Web API's app manifest and oauth2AllowImplicitFlow enabled. The test client has been granted permissions to the Web API app.

GetAccessToken:

var userCredential = new UserCredential("admin@clienttenant.onmicrosoft.com", "password");
var context = new AuthenticationContext("https://login.windows.net/common");

return context.AcquireToken("https://webapitenant.onmicrosoft.com/webApiResourceUri", testClientId, userCredential).AccessToken;

Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information:
AADSTS65001: The user or administrator has not consented to use the application with ID 'nativeclientid'. Send an interactive authorization request for this user and resource.

Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information:
AADSTS65001: The user or administrator has not consented to use the application with ID nativeclientid. Send an interactive authorization request for this user and resource.

Update I created a dummy console app to force a consent form that I could accept. ADAL now returns tokens but my Web API rejects them (status 401).

var parameters = new PlatformParameters(PromptBehavior.Always);
var context = new AuthenticationContext("https://login.windows.net/common");
var token = context.AcquireTokenAsync
    ("https://webapi.onmicrosoft.com/appuri", 
    "testappid", 
    new Uri("https://webapi.azurewebsites.net"), parameters).Result.AccessToken;

Console.WriteLine(token); //Output: oauth token

var client = new HttpClient
{
    BaseAddress = new Uri("https://webapi.azurewebsites.net/api/")
};

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = client.GetAsync("tenants").Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// Output: {"$type":"System.Web.Http.HttpError, System.Web.Http","Message":"Authorization has been denied for this request."}
1
oauth-2.0azure-active-directorymulti-tenantadal

1 Answers

0
votes

Please ensure that the web app is ignore the issue validation and the audience is same as the resource(https://webapi.onmicrosoft.com/appuri", "testappid) you acquire for the access token and this value should be the App ID URI which you can find it on old Azure portal like figure below:

enter image description here

Here is the relative code for setting for the authentication of multi-tenant web API:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Audience = ConfigurationManager.AppSettings["ida:Audience"],
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                     TokenValidationParameters= new System.IdentityModel.Tokens.TokenValidationParameters {
                         ValidateIssuer=false
                     }
                });