Azure AD authentication token fails web api authorization

Question

I have a web-api on Azure that requires authorization and I am using Azure AD to authenticate accounts and generate access tokens.

I can successfully acquire access tokens from Azure AD with ADAL for the same account in two different ways, but only one of them is authorized by the web-api, the other one fails.

The following is authenticating an account interactively and the token is authorized by the web-api

result = AuthenticationContext.AcquireTokenAsync(resource, clientId, redirectUri, new PlatformParameters(PromptBehavior)).Result;

where resource is web-api application id (guid).

The following is authenticating an account non-interactively with a given user name and password, but the token is not authorized by the web api

UserPasswordCredential cred = new UserPasswordCredential(userName, password);
result = AuthenticationContext.AcquireTokenAsync(resource, clientId, cred).Result; 

where resource = https://{tenant}/{api name}.

The web-api call is as follows:

HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await httpClient.GetAsync(ApplicationCallUri);

Both ways return identical AuthenticationResult objects (apart from tokens and time stamps) and I cannot see why authorization fails for the second one.

The web-api response is "Authorization has been denied for this request."

Since authentication succeeds for both ways, I assume it must be something with at the web-api's side. Help is much appreciated. Thanks.

Answer 1

Thanks to juunas who pointed out the audience parameter I realized that the web api was set to expect tokens for only one the two audience values. I added a second option for bearer authentication and it works for both scenarios.

Thank you juunas!