How can I enable authentication with a multitenant AngularJS single page application calling a multitenant service Web API using Azure AD?
This is the high level flow I am trying to enable:
Multi-tenant AngularJS application [ClientApp] -> Multi-tenant ASP.NET Web API [ServicesApp]
I have a multi-tenant AngularJS application which requires Azure AD login using ADAL for JS (OpenID Connect). That web application is registered as a multi-tenant application ClientApp
in a developer Azure AD, which I'll call DevAAD
. I consented to use this ClientApp
application in another Azure AD, which I'll call Tenant1
. Once a user from the Tenant1
directory logs into the web application with their credentials into the login.microsoftonline.com portal, they are able to access the web UI. However, the UI is unable to call Web APIs on behalf of the user using the OAuth 2.0 Implicit Flow. This is the error message I am seeing in the Javascript code:
AADSTS65001: The user or administrator has not consented to use the application with ID '<ClientApp_ClientID>'. Send an interactive authorization request for this user and resource.
There is another Azure AD multi-tenant app representing backend Web API services called ServicesApp
that is registered in the same DevAAD
directory as the ClientApp
UI application. The client ID and app ID URI of ServicesApp
are the valid audiences for those services. This ServicesApp
application has been consented to in the same Tenant1
directory. When invoked from a native client application with permissions to ServicesApp
, the services are authorizing users from the Tenant1
directory using the OWIN middleware provided in System.IdentityModel.Tokens.Jwt 4.0.0 and the [System.Web.Http.Authorize]
attribute in the controller.
Configuration details:
ClientApp
Azure AD application manifest has availableToOtherTenants
set to true and oauth2AllowImplicitFlow
set to true. ClientApp
has permissions to access ServiceApp
Azure AD application.
The AngularJS application has the following configuration:
adalAuthenticationServiceProvider.init(
{
tenant: 'common',
clientId: <ClientApp_ClientID>,
endpoints: { <ServiceEndpoint> : <ServiceApp_ClientID> }
}, $httpProvider);
ServiceApp
ValidateIssuer is set to false in TokenValidationParameters
object in WindowsAzureActiveDirectoryBearerAuthenticationOptions
configuration object passed to IAppBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication()
"
knownClientApplications" property in "ServiceApp" Azure AD manifest is set to ["<ClientApp_ClientID>"]
I have not been able to locate any examples of a multi-tenant web application calling multi-tenant Web APIs, specifically a single page application built with AngularJS. How can this be implemented with Azure AD?