Getting 401 when accessing API protected with Azure AD

Question

I am getting 401 while I am accessing custom API (.NET Framework) hosted in Azure and protected with Azure AD from SPA web app (React). The access_token seems to be fine, I can easily decrpyt it in jwt.io I setup both of apps with this tutorial https://docs.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#enable-authentication-and-authorization-for-back-end-app

Both of my apps (API and SPA) have enabled implicit grant with both tokens. Is there something I am missing ? I can authorize users, get their tokens in SPA. When I disable authentication/authorization for web api in Azure, everything is going fine.

API permissions in SPA app spa permissions

You need to post some sample code, what is called Minimum Reproducable Example. — jbooker
Could you please share a screenshot of the "API permissions" tab of the registered app ? — Hury Shen
Could you please tell me how you get token and call the API in your react application? — Jim Xu
Jim Xu : I am using /.auth/me endpoint of my web application. But I just now realized, than token which Azure returns me from this endpoint is valid, but seems to be expired (expiration time is half minute back from actual time) — V. Hrisenko

V. Hrisenko V. Hrisenko · Accepted Answer · 2020-10-21T10:18:40

Problem in my case was bad issuer setting in resources of protected API. By default, Azure will set it to sts.microsoft.xyzabcdefgh..., but in my case, the right issuer was login.microsoft.com/<tenant_id>/v2.0 (Issuer as it appeared in decoded access token) So I passed "iss" value from access token to Azure Resources -> My API app -> config -> authsettings -> "issuer": ""

Getting 401 when accessing API protected with Azure AD

1 Answers