How to consume Graph API with a ADAL token?

1
votes

in my Xamarin.forms project, I use ADAL (Microsoft.IdentityModel.Clients.ActiveDirectory) to authenticate on the Azure portal (Auth 1.0 endpoint). That part work great, but I need to get the security group of the user. So I use this code and passing the token received with ADAL:

 HttpClient client = new HttpClient();
 HttpRequestMessage message = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me/memberOf");
 message.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("bearer", token);
 HttpResponseMessage response = await client.SendAsync(message);
 string responseString = await response.Content.ReadAsStringAsync();

I always got StatusCode: 401, ReasonPhrase: 'Unauthorized'. In my azure AD app registration, I add the Graph API and these permissions: enter image description here enter image description here

I think I miss something. Any idea?

----- EDIT 1 --- Here my payload. I changed it for a picture for lisibility. I don't know how to post json here enter image description here

----- EDIT 2 --- OH! I see. I think I need to understand more the Azure Login process. For now I follow an example of ADAL and Azure that let my log and use some function in my backend. So the login process use:

var authContext = new AuthenticationContext(authority); var authResult = await authContext.AcquireTokenAsync(resource, clientId, uri, platformParams);

Where authority = https://login.microsoftonline.com/mysite.com, ResourceID is my backend app ID and clientID is my native app ID. So Shawn is correct, I do not use the Graph.microsoft.com to get the token. Do we have another way to achieve all that? The need of using Graph is only to get the AD group the user has to adjust permission inside the app.

1
azurexamarin.formsazure-active-directory
I think I found the reason. The user I use for testing already accept the consent. Now that I add the new graph permission, I need to force it to re-accept the new consent but I can find a way to force it. I try with platformParams.PromptBehavior = PromptBehavior.Auto; without success.Pierre-D Savard
Pierre, what are you asking in your update? Simply update your code to request a token to Graph rather than whatever you have set for resource. You might want to open a new question as you are asking something completely different than before.Shawn Tabrizi
Shawn, I was not aware that I can call 2 times in a row the AcquireTokenAsync. Once with my backend ID and get a token with aud starting with 93f, and the second call with the Graph URL to get a second token valid for the graph. Now all is working. Thanks for your help.Pierre-D Savard

1 Answers

3
votes

You are correct in your comment. If you add a new permission to your application, you must ask the user to re-consent to the app.

You can force re-consent through ADAL by setting the PromptBehavior to Always:

platformParams.PromptBehavior = PromptBehavior.Always

Or you can simply modify your Login URL to force it, by adding the query string:

&prompt=consent

In terms of building an app to help overcome this problem, if you think your app will be changing permissions after release, you can integrate logic which detects Unauthorized, and then sends the user to re-consent.

Another option is for your app to track changes which may require a new consent prompt, and detect when the user uses this new version of your application the first time, and asks them to consent.

In our new App Model V2, we support the concept of Incremental and Dynamic Consent, which should get rid of this problem all together for you.