I have a web-api on Azure that requires authorization and I am using Azure AD to authenticate accounts and generate access tokens.
I can successfully acquire access tokens from Azure AD with ADAL for the same account in two different ways, but only one of them is authorized by the web-api, the other one fails.
The following is authenticating an account interactively and the token is authorized by the web-api
result = AuthenticationContext.AcquireTokenAsync(resource, clientId, redirectUri, new PlatformParameters(PromptBehavior)).Result;
where resource is web-api application id (guid).
The following is authenticating an account non-interactively with a given user name and password, but the token is not authorized by the web api
UserPasswordCredential cred = new UserPasswordCredential(userName, password);
result = AuthenticationContext.AcquireTokenAsync(resource, clientId, cred).Result;
where resource = https://{tenant}/{api name}.
The web-api call is as follows:
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await httpClient.GetAsync(ApplicationCallUri);
Both ways return identical AuthenticationResult objects (apart from tokens and time stamps) and I cannot see why authorization fails for the second one.
The web-api response is "Authorization has been denied for this request."
Since authentication succeeds for both ways, I assume it must be something with at the web-api's side. Help is much appreciated. Thanks.
Thanks to juunas who pointed out the audience parameter I realized that the web api was set to expect tokens for only one the two audience values. I added a second option for bearer authentication and it works for both scenarios.
Thank you juunas!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.