Service to Service authentication with Managed Identity in Azure

Question

From my Azure Function I'm trying to access an API endpoint of another custom service that has been registered as an app in azure. I have Managed Identity enabled for my azure function. I use the following code to obtain a token:

var tokenIssuerAddress = @"uriOfServiceThatImTryingToConsume";
var tokenProvider = new AzureServiceTokenProvider("RunAs=App");
var accessToken = await tokenProvider.GetAccessTokenAsync(tokenIssuerAddress);

This seems to be fine since I'm getting a bearer token. But when I then try to call the service itself with the token:

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", $"{accessToken}");
    var response = await client.GetAsync($"{uriOfServiceThatImTryingToConsume}{path}");
}

I get a 200 OK but the response is a HTML page that starts with the following:

<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">

<head>
    <title>Sign in to your account</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <link rel="preconnect" href="https://aadcdn.msftauth.net" crossorigin>
    <meta http-equiv="x-dns-prefetch-control" content="on">
    <link rel="dns-prefetch" href="//aadcdn.msftauth.net">
    <link rel="dns-prefetch" href="//aadcdn.msauth.net">

Why do I get a HTML login page as the response when I'm using the bearer token that I got? Am I missing a step?

Answer 1

You have done the right thing by registering the api as an app in Azure. You also have to add the Authentication middleware like

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(o =>
                {
                    AuthenticationSettings settings = Configuration.GetSection("Authentication").Get<AuthenticationSettings>();
                    o.Authority = settings.Authority;
                    o.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudiences = new[]
                        {
                            settings.ClientId,
                            settings.ApplicationIdUri
                        }                        
                    };
                });

Then add "UseAuthentication" in the pipleline. See if this helps.

Answer 2

Assuming that the bearer token you are getting is valid and what you expect (you can always decode it to see a look at its claims), then you need to provide more details about the specific service you are calling. It's possible that the service requires 2FA or has other authentication strength policy that your bearer token does not meet and is thereby redirecting to continue authentication.