MSAL authentication token issues

1
votes

I have integrated MSAL library in iOS to get the token and send to the our backend server for further use. we are using below code to get the token:

let kClientID = "xxxxxx-xxxx-xxxx-xxxx-xxxxxx" 
let kGraphEndpoint = "https://graph.microsoft.com/"
let kAuthority = "https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxx"
let kScopes: [String] = ["user.read"]

let bundleID = Bundle.main.bundleIdentifier ?? "com.default.test"
let kRedirectUri = "msauth.\(bundleID)://auth"

Aquire Token code:

if let applicationContext = self.applicationContext, let webViewParameters = self.webViewParamaters {
            
    let parameters = MSALInteractiveTokenParameters(scopes: kScopes, webviewParameters: webViewParameters)
    parameters.promptType = .selectAccount
    
    applicationContext.acquireToken(with: parameters) { (result, error) in
        
        if let error = error {
            self.log(text: "Could not acquire token: \(error)")
            return
        }
        
        guard let result = result else {
            self.log(text: "Could not acquire token: No result returned")
            return
        }
        
        self.token = result.accessToken
        
        // calling graph API to get the name and user id ( Success )

        // sending this token to our API backend ( Failure 401 )
        

    }
}

Problem:
When Graph API is called from frontend iOS application after getting token, it is working, and when we are sending same token to backend then it is not working getting 401 error. The same token is not valid for backend application, but this was working Earlier when we were using ADAL Library in iOS application.

Is it because of Redirect URI ?? in ADAL we were using API endpoint as redirect and now we are using "msauth.\(bundleID)://auth" this format.

Please help.

1
azuremsaladal
You need to acquire 2 access tokens, one for MS Graph and one for your back-end. You do this by calling acquire token twice with different scopes. An access token is only valid for one API, they cannot be mixed.juunas

1 Answers

2
votes

Token you may have received is only for MS Graph API, not your API ,As front-end acquires access token for Microsoft Graph API.

In your front-end you need to specify scopes for your backend API as mentioned by @juunas.

When your application needs to request an access token with specific permissions for a resource API, pass the scopes containing the app ID URI of the API in the format like this-> app ID URI/scope

From MSdocs reference, Some example scope values for different resources:

Microsoft Graph API: https://graph.microsoft.com/User.Read

Custom web API:api://11111111-1111-1111-1111-111111111111/api.read

To set scopes in portal , go to the app registration of your API in Azure AD > Expose an API> add a scope. Azure AD should then give you a token that is meant for your API.

SO reference