calling Azure AD secured own Web API n with specific scope using daemon / console app

0
votes

I have a custom Web API in dotnet core, I have secured the web api using [Authorize(Policy = "Admin")].
I have registered the web api in Azure AD using App Registration. I have created two application roles "Admin" and "Customer".
I have a console app which is registered as client in Azure AD using App Registration in Azure.
Now When I am requesting the access token using with scope- api://{guid}/.default (all permissions) requesting OAuth 2.0 token endpoint (v2) -https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

I am getting the access token, and I am able to call my web api method. But when I am calling the web api with thea specific scope say "Admin" scope: api://{guid}/Admin

I am getting error -

Error: Cound not complete OAuth 2.0 token request: "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.The scope api://{guid}/Admin is not valid

1
azureasp.net-core-webapiazure-security
Sorry, maybe I have provided an unclear answer before. At this moment I have updated my answer. If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in. See meta.stackexchange.com/questions/5234/…). This can be beneficial to other community members. Thank you.Allen Wu

1 Answers

1
votes

api://{guid}/Admin is not an API which is exposed in your Web API Azure AD app.

If you want to add "Admin" as a Delegated permission, you should expose it as an API.

enter image description here

Then you should add the delegated permissions in your web app Azure AD application (It's not the Web API Azure AD app).

enter image description here

Don't forget to click on "Grant admin consent for {your tenant}" to finish the admin consent.

enter image description here

Now you could specify it as the scope while requesting the token using authorization code flow.

Update:

Sorry, I have to add more information here.

The screenshot above is for exposing Delegated permission.

If you want to expose Application permission, creating application roles is correct.

After you create the application roles, you should add the permissions in your web app Azure AD application (It's not the Web API Azure AD app).

enter image description here

Select the Web API Azure AD app. Then you will see the Application permissions. Select the App role you just created in the Web API Azure AD app.

enter image description here

Don't forget to click on "Grant admin consent for {your tenant}" to finish the admin consent.

enter image description here

After that, you could specify it as the scope while requesting the token using client credentials flow.