How to use MSAL to get access token on behalf of a user using AAD v1?

1
votes

I have a Web App (Angular 7) that uses MSAL Angular to authenticate users with Azure AD and to get access tokens for accessing my Web API (.NET 4.6). Both apps were registered in the Azure Portal with the following permissions as described here:

  • Web App: user_impersonation for Web API (delegated)
  • Web API: User.Read; Mail.Send for MS Graph (delegated)

Now I'd like to call Microsoft Graph from Web API using ADAL for .NET to get some data on behalf of a user.

Following this instructions I should configure consentScopes and protectedResourceMap but since I use AAD v1 I cannot use scopes with incremental consent.

How should I configure my Web App to get an access token for Web API and for MS Graph?

I found that it is possible to get tokens for AAD v1.0 using MSAL.js (and I'm able to communicate with my Web API), but I don't know how to configure it for on behalf of flow for communicating Web API with MS Graph.

UPDATE

Here is the code for making an access token request from Web API:

string accessToken = null;
var userAssertion = new UserAssertion(
    <userAccessToken>, 
    "urn:ietf:params:oauth:grant-type:jwt-bearer", 
    userName);
var authority = "https://login.microsoftonline.com/" + <tenant> + "/";
var clientCredencial = new ClientCredential(<clientId>, <clientSecret>);
var authContext = new AuthenticationContext(authority, null);

try
{
    var authResult = await authContext.AcquireTokenAsync(
        "https://graph.microsoft.com", 
        clientCredencial, 
        userAssertion);
    accessToken = authResult.AccessToken;
}
catch (AdalServiceException ex) { throw; }

Web App is added as knownClientApplications in Web API manifest:

"knownClientApplications": [
    "<WebAppAppId>"
],

These are the scopes set in Web App (MsalModule):

consentScopes:
[
    'https://webapi.example.com/user_impersonation'
],

In this case Web App requires the following permissions on the consent screen:

  • Access WebAPIName
  • Access your data anytime
  • View your basic profile

If I try to get access token for MS Graph I get an error:

{"AADSTS65001: The user or administrator has not consented to use the application with ID 'WebApiClientId' named 'WebApiAppName'. Send an interactive authorization request for this user and resource.}

1
c#azure-active-directorymicrosoft-graph-apiadalmsal
If your web API accepts v1.0 tokens, you could try to use "graph.microsoft.com" as a resource in ADAL.NET doing the OBO. An alternative would be to change your Web API to accept v2.0 tokens, and use MSAL.NET. Would that be an option for you?Jean-Marc Prieur
I tried with "graph.miscosoft.com" but I got an error (see updated question).FIL
Does your Web API app has required permissions given for Microsoft Graph? If not, go to Web API’s app registration in in Azure AD.. > settings > required permissions > add Microsoft Graph and select appropriate permissions. In the end do click on Grant permissions if any of the permissions show Admin consent needed as yes. It could be that you selected the permissions alright but never did Grant permissions. I say this looking at error message.Rohit Saigal
As I said, Web API has the following permissions: User.Read; Mail.Send. Both are delegated, so the user should consent.FIL

1 Answers

0
votes

As the error message indicates, what you're missing is the consent for the Web API to access Microsoft Graph on behalf of the signed-in user.

Assuming you have already configured the app registration for the Web API to require the appropriate delegated permissions for the Microsoft Graph, you have three options to provide the consent required.

  1. Provide admin consent from the Azure portal. If this is intended to only be used in your tenant, an admin of the tenant can simply navigate to the app registration for Web API, and grant admin consent to the required permissions. (See option 1 of this answer for screenshots and more details.)

  2. Provide admin consent by constructing the appropriate URL. An alternative to using the portal to grant admin consent is to construct the consent URL. In this case, you would construct the consent URL for Web API. (See option 2 of this answer for screenshots and more details.)

  3. At runtime, during consent to Web App, leveraging knownClientApplications. If you add the AppId of Web App to the knownClientApplications list in Web API's app registration manifest, when a user is asked to consent to Web App, they will also be prompted to consent to any permissions Web API also needs. If you're using the v2 endpoint for sign-in to Web App (it sounds like you are), this approach only works if the client requests the default scope (i.e. the pre-registered permissions, e.g. https://my.api.example.com/.default).