Azure AD App Service /.auth/refresh endpoint returns 401.71 Unauthorized

4
votes

I am testing Azure App Service Authentication / Authorization with Azure AD with a vanilla MVC 5 web app. I have followed the tutorials at https://cgillum.tech/2016/03/07/app-service-token-store/ and http://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/

I can confirm that the /.auth/me endpoint functions properly, and that I do have refresh and access tokens in the cache.

The app registration is configured with permission to SharePoint Online.

However, /.auth/refresh fails with 401.71 unauthorized every time. Verbose Log Stream on the Web App only gives a generic error message.

I have seen references to a a value: "access_type=offline" in comment sections on various forums, which may or may not be necessary to include in the "additionalLoginParams" key in authsettings, though it is usually mentioned in the context of Google auth.

Is there a definitive answer on whether this is necessary to add when using AAD? Any other permissions that aren't mentioned in the tutorials?

This is the code I am using to make the test call

 string endpoint = myAppUrl + "/.auth/refresh";

 string idToken = this.Request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"];
 string accessToken = this.Request.Headers["X-MS-TOKEN-AAD-ACCESS-TOKEN"];
 string refreshToken = this.Request.Headers["X-MS-TOKEN-AAD-REFRESH-TOKEN"];

 using (HttpClient client = new HttpClient())
 {
     try
     {
         client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
         HttpResponseMessage response = client.GetAsync(endpoint).Result;
         if (response.IsSuccessStatusCode)
         {
             string content = response.Content.ReadAsStringAsync().Result;
         }
     }
     catch (Exception oops)
     {
         string oopsMessage = oops.Message;
     }
 }
1
azure-web-app-serviceazure-active-directory
How are you authenticating with the /.auth/refresh API call?Chris Gillum
I'm calling from c# HttpClient, adding "Bearer" token to DefaultRequestHeaders, the same way I call the /.auth/me, or Graph, etc. I've tried using the Id, Access, and Refresh tokens. Is it necessary to add Graph permissions?David
I'm also being denied access to the app if I put more than one resource in additionalLoginParams... I can ask another question if that would be more appropriate. Thanks for responding so quickly, btw.David
Interesting. Post the additionalLoginParams as a new question. I have a feeling we don't support that directly, but there are workarounds you can use if your app needs to access multiple resources.Chris Gillum

1 Answers

3
votes

The problem is that the /.auth/refresh API does not work with AAD bearer tokens. Instead, you need to either use a session cookie (AppServiceAuthSession cookie) or a session token (x-zumo-auth header), which are the outputs of a login action.

Sorry about the inconvenience and the lack of clear error information. We'll look into adding support for this in a future release.