Azure AD OAuth2.0 Application Permissions

0
votes

I am trying to setup an API to be protected using Oauth 2.0 in Azure AD. I follow the steps in here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.

The API has one scope - one application permission defined. I am able to add the API permission successfully to the client app, and have selected the right scope, as shown in the screenshot.

enter image description here

However, when I test the web app, after authentication the below error is thrown:

The application OAuthClientApp asked for scope approle that doesn t exist on the resource 2700000003-0000-0000-c000-000000000000. Contact the app vendor.

1
azureoauth-2.0azure-active-directory

1 Answers

1
votes

App permissions only apply when a client app uses client credentials only for authentication. So when there is no user involved, app permissions apply. A client can acquire an access token using their client id + secret/certificate with the scope your-api-client-id/.default or your-api-id-uri/.default. Documentation for client credentials grant: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.

.default basically means "the permissions required statically by my app in the registration". Since app permissions must be required statically, it makes sense to use it.

Authorization code grant, implicit grant and a few others involve a user in the authentication and only delegated permissions apply.

Remember to also grant admin consent for the app permission. In the screenshot it says consent has not been granted.