I have a Web App (Angular 7) that uses MSAL Angular to authenticate users with Azure AD and to get access tokens for accessing my Web API (.NET 4.6). Both apps were registered in the Azure Portal with the following permissions as described here:
- Web App:
user_impersonation
for Web API (delegated) - Web API:
User.Read; Mail.Send
for MS Graph (delegated)
Now I'd like to call Microsoft Graph from Web API using ADAL for .NET to get some data on behalf of a user.
Following this instructions I should configure consentScopes
and protectedResourceMap
but since I use AAD v1 I cannot use scopes with incremental consent.
How should I configure my Web App to get an access token for Web API and for MS Graph?
I found that it is possible to get tokens for AAD v1.0 using MSAL.js (and I'm able to communicate with my Web API), but I don't know how to configure it for on behalf of flow for communicating Web API with MS Graph.
UPDATE
Here is the code for making an access token request from Web API:
string accessToken = null;
var userAssertion = new UserAssertion(
<userAccessToken>,
"urn:ietf:params:oauth:grant-type:jwt-bearer",
userName);
var authority = "https://login.microsoftonline.com/" + <tenant> + "/";
var clientCredencial = new ClientCredential(<clientId>, <clientSecret>);
var authContext = new AuthenticationContext(authority, null);
try
{
var authResult = await authContext.AcquireTokenAsync(
"https://graph.microsoft.com",
clientCredencial,
userAssertion);
accessToken = authResult.AccessToken;
}
catch (AdalServiceException ex) { throw; }
Web App is added as knownClientApplications in Web API manifest:
"knownClientApplications": [
"<WebAppAppId>"
],
These are the scopes set in Web App (MsalModule):
consentScopes:
[
'https://webapi.example.com/user_impersonation'
],
In this case Web App requires the following permissions on the consent screen:
- Access WebAPIName
- Access your data anytime
- View your basic profile
If I try to get access token for MS Graph I get an error:
{"AADSTS65001: The user or administrator has not consented to use the application with ID 'WebApiClientId' named 'WebApiAppName'. Send an interactive authorization request for this user and resource.}
User.Read; Mail.Send
. Both are delegated, so the user should consent. – FIL