How to configure on-behalf-of authentication in multi-tenant environment?

2
votes

I have a native client that calls a service I wrote-- that in turn calls the Graph API (using the original caller's credentials).

This is exactly like the 'onbehalfof' sample found here (my code fails the same way as the sample):

https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof

When logging in as a user from the same tenant as the service (tenant A), everything works fine (just like the onbehalf of sample). When logging in as a user from a different tenant (tenant B), I get an exception on this line in the service:

result = await authContext.AcquireTokenAsync(GraphResourceId, clientCred, userAssertion);

(this is line 153 from TodoListController.cs in the onbehalfof sample).

The exception is this:

AADSTS65001: The user or administrator has not consented to use the application with ID 'de2fb28b-83f8-419d-9b00-3fbce0a60bf4'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 6865c420-674a-4adf-a070-3d9b9c500200\r\nCorrelation ID: 7e088563-d7fe-4131-a05c-cbe04dbb2bbd\r\nTimestamp: 2017-03-29 22:56:58Z

The application id above refers to the service I wrote (which is the same line in the TodoListService in the onbehalfofsample).

I configured everything for multi-tenant authentication. But it's the additional call that my service is making to another service (Graph API) that's causing the problem. What additional configuration do I need to do in the Azure portal to make this work?

4
azure-active-directoryadal

4 Answers

1
votes

It's working now. I had to make two changes to get it working.

First, on the service side switch to using "common" as the tenant. I had switched to common on the client but didn't realize you had to do this on the service side as well:

<add key="ida:Tenant" value="common" />

Second, change the GraphUserUrl on the service to the following URL:

<add key="ida:GraphUserUrl" value="https://graph.windows.net/me?api-version=1.6" />

The original URL in the sample didn't work (at least for users in another tenant).

0
votes

In the instructions written for the sample you linked above, they address this issue with the following section:

Configure known client applications

For the middle tier web API to be able to call the downstream web API, the user must grant the middle tier permission to do so in the form of consent. Because the middle tier has no interactive UI of its own, you need to explicitly bind the client app registration in Azure AD with the registration for the web API, which merges the consent required by both the client & middle tier into a single dialog. You can do so by adding the "Client ID" of the client app, to the manifest of the web API in the knownClientApplications property. Here's how:

  1. Navigate to your 'TodoListService' app registration, and open the manifest editor.

  2. In the manifest, locate the knownClientApplications array property, and add the Client ID of your client application as an element.

    Your code should look like the following after you're done: "knownClientApplications": ["94da0930-763f-45c7-8d26-04d5938baab2"]

  3. Save the TodoListService manifest by clicking the "Save" button.

My assumption is that because you are running into this problem, that you have not done this special configuration.

The other option you have is to explicitly request consent between the middle tier and the AAD Graph API. You can do this by having a tenant administrator 'login' and consent to your middle tier service. All you need to do is generate a login url with the middle tier App ID.

However, I strongly recommend you do it the documented way, since this will provide a better experience for your users.

0
votes

Here's the consent dialog that appears when a user from another tenant logs in:

Consent Dialog

0
votes

Here's my client manifest...

Client Manifest

...and my service manifest...

Service Manifest