Generating AAD Token with UPN

0
votes

I am trying to generate a token for a user with below code. 

string apiResourceId = "11224320-66b9-4132-8953-9aa485f07004";
string clientId = "bc9869a0-2393-4e42-8c52-845071640ea8";
Uri redirectUri = new Uri("https://localhost:44335/");
string authority = string.Format("https://login.windows.net/{0}",
                            "rudderless.onmicrosoft.com");
var authContext = new AuthenticationContext(authority);
AuthenticationResult authenticationResult;
authenticationResult = await authContext.AcquireTokenAsync(apiResourceId, clientId, 
            redirectUri, new PlatformParameters(PromptBehavior.Auto, null));

I have been getting an error in AcquireTokenAsync call -

AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'. Trace ID: a198696d-8377-40eb-8351-527a25183500 Correlation ID: 24d4b47d-67bf-46c0-a6b7-a248c434512e Timestamp: 2017-09-20 23:09:38Z

Why do I need a client_secret or client_assertion if I want to generate a token when a user is authenticated against a AAD? The type of Client I am using is "Web app /API". However when I am trying to use a Native client I get the token generated but API call to apResourceID is generating unauthorized error.

Few Questions I am seeking help on related to the scinario -

  1. Why I need to provide client_secret when I am using user auth flow?
  2. Why AcquireToken succeed when I change the client Type to Native?
  3. Why the token generated through native client gives an Unauthorize error?
  4. Is there a way for admin to consent on behalf of every user in AAD?
1
azureazure-active-directory

1 Answers

1
votes
  1. Why I need to provide client_secret when I am using user auth flow?

Web Apps and APIs are considered Confidential Clients. See here for a definition of the different Client Types in the OAuth 2 Specification. These kinds of client always need to use their client secret to authenticate, no matter the flow they are following.

Confidential clients are typically issued (or establish) a set of
  client credentials used for authenticating with the authorization
  server (e.g., password, public/private key pair).
  1. Why AcquireToken succeed when I change the client Type to Native?

Native Client Applications are a subset of Public Clients. These are defined, in the specification as:

Clients incapable of maintaining the confidentiality of their
  credentials (e.g., clients executing on the device used by the
  resource owner, such as an installed native application or a web
  browser-based application), and incapable of secure client
  authentication via any other means.

Therefore, they do not have or need a client_secret to authenticate... but this also means they can only authenticate with user context, whereas a confidential client could authenticate without a user present (Client Credential Flow).

  1. Why the token generated through native client gives an Unauthorize error?

This is hard to answer without knowing more about the error and the call you are making that causes this error. You should provide more information about this scenario.

  1. Is there a way for admin to consent on behalf of every user in AAD?

Yes. In the new Azure Active Directory V2 Endpoint, we have an "Admin Consent Endpoint".

Using the older V1 endpoint, we have an &prompt=admin_consent query string which you can read about here.