1
votes

I am setting a background process which will communicate with API secured by Azure AD. Without giving delegate access to API, Client App is able to generate access token

Using client credential flow, Is it possible to generate access token for web api without giving delegate permission. I am able to generate it but according to it should not happen. Any app created in my tenant is able to generate the token for web api without delegate permission.

I have followed below sample on github. https://github.com/Azure-Samples/active-directory-dotnet-daemon

It should not be able to generate access token, if no delegate access is provided.

1
Either I give delegate access or not, content of token is same. If i give application permission then only it is coming in token. How to validate on API side if delegate permission is provided or not ?mohit garg

1 Answers

1
votes

This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.

enter image description here

Update:

If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.

enter image description here