Azure Active Directory - UI > API - 401 Error

3
votes

Good Day,

Currently I have a single tenent with a React UI and .NET Core Apis secured by Azure Active Directory without any problems.

We have recently moved to a new Azure Tenent, new Active Directory etc. I have create two new App Registrations, one single App Service for UI and one for API. I have linked the App Service to AAD (UI = UI App Registration, API = API App Registration).

The problem is the API is getting a 401 error and I think see that in the original tenent the Bearer token is in a JWT format but in the new instance it's not, I believe it my be a graph api access key.

New Tenent: Authorization: Bearer PAQABAAAAAAD--DLA3VO7QrddgJg7WevrQvEQVbZEMD8su-tIp9k2bTFUTort7SZgeDI52P6KRYefHgtmj4YrecgUKZJ2wylGuhvIzIz642n7Sg0VMU1RwKtrzWlaMqK62CaSoJcstxiEf6 *****

Orginal Tenent: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI3OThkN2ZkOC0zODk2LTQxOGMtOTQ0Ny0wNGFlNTQ2OGFkNDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZDE3NTU3Ni03Y2Y3LTQyMDctOTA5My0wNmNiNmQyZDIwNjAvIiwiaWF0IjoxNjE2NDUyNzExLCJuYmYiOjE2MTY0NTI3MTEsImV4cCI6MTYxNjQ1NjYxMSwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhUQUFBQU9mejhPZHp *****

Please someone kindly enought to provide some guidance / input where I am going wrong.

Regards Paul.

3
azure-active-directorybearer-token
have you tried sending the authentication call via Fiddler and reading the raw response? I wonder if there are any interesting details in there except a bare 401...Duck Ling
Not really, only getting the following "You do not have permission to view this directory or page." If I turn off Auth for API, everything works as expected.Paul
I see. I suggest that you share your request url/body/query string or code if using a client library, so we know what endpoint are you calling.Duck Ling
In your original (pre-migration) domain setup - did you have two AD applications - one for the app and one for the API ? Or did you have one AD app for both.Sql Surfer
I created the post migration the same as the original (but this was done by someone else) so there are two app registrations, one for ui and one for api.Paul

3 Answers

2
votes

When using Azure AD to obtain an access token, an additional resource parameter is required. Otherwise, the access token is not a JWT.

Scopes

For example, if your web API's application ID URI is https://contoso.com/api and the scope name is Employees.Read.All, then with oidc-client the client configuration should be :

scope: 'openid profile email Employees.Read.All',
extraQueryParams: {
  resource: 'https://contoso.com/api'
}

In App Service auth configuration, you can use additionalLoginParams

"additionalLoginParams": ["response_type=code", "resource=https://contoso.com/api"]

If you did not use a custom application ID URI, it may look like api://868662dd-3e28-4c7f-b7d5-7ec02ac9c601

Quickstart: Configure an application to expose a web API

0
votes

Firstly, the scope is incorrect.

You should Expose an API in your API App Registration and then add it as a permission in your UI App Registration. You can refer to this document.

And when you try to call the 'https://login.windows.net/{tenant}/oauth2/authorize endpoint, you need to specify the scope to include api://{app id of the API App Registration}. For example: api://{app id of the API App Registration} openid profile email. Then the access token would be for calling your API.

At last, for CORS issue, please configure the CORS as * in your web app to see if it helps.