Azure AD多租户WebApi承载授权配置

Question

I'm currently working on an ASP.net MVC and Web API project with AAD single sign on. The current problem I'm facing is that I don't know how to configure the authorization for the WebAPI. This is my current way I've tried but it doesn't work.

 
public void ConfigureAuth(IAppBuilder app)
        {
...
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                        new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                        {
                            Tenant = "common",
                            TokenValidationParameters = new TokenValidationParameters
                            {
                                ValidAudience = audience,
                                ValidateIssuer = false


                        }              });


...} 

And I fetch the access token trough postman token predefined token request and that works.

postman token request

When I call the WebAPI (Header: Authorization -> Bearer )I got the following exception back:

{
    "Message": "Authorization has been denied for this request."
}

Do I have to prepare the token request, the API header, or the configuration?

BG, Tom

Answer 1

Here is a sample about Building a multi-tenant web API secured by Azure AD . You could download it and follow the steps it provided to configure it.

The application uses the Active Directory Authentication Library (ADAL) to obtain a JWT access token through the OAuth 2.0 protocol. The access token is sent to the web API to authenticate the user. The web API project demonstrates how to structure your services for being accessed by users coming from multiple Azure AD tenants.

As you want to login multiple tenants, you need to go to the app registered and click Manifest option set availableToOtherTenants to true .

For more details, you could refer to this article .