1

I've created a multi tenant Web API that works just fine. Now I want to build a native client for testing. The Web API app is defined in one tenant (webapitenant). The test app is defined in another tenant (clienttenant) that has given admin consent to the Web API.

I've added the testClientId as a knownClientApplication in the Web API's app manifest and oauth2AllowImplicitFlow enabled. The test client has been granted permissions to the Web API app.

GetAccessToken:

var userCredential = new UserCredential("admin@clienttenant.onmicrosoft.com", "password");
var context = new AuthenticationContext("https://login.windows.net/common");

return context.AcquireToken("https://webapitenant.onmicrosoft.com/webApiResourceUri", testClientId, userCredential).AccessToken;

Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information:
AADSTS65001: The user or administrator has not consented to use the application with ID 'nativeclientid'. Send an interactive authorization request for this user and resource.

Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information:
AADSTS65001: The user or administrator has not consented to use the application with ID nativeclientid. Send an interactive authorization request for this user and resource.

Update I created a dummy console app to force a consent form that I could accept. ADAL now returns tokens but my Web API rejects them (status 401).

var parameters = new PlatformParameters(PromptBehavior.Always);
var context = new AuthenticationContext("https://login.windows.net/common");
var token = context.AcquireTokenAsync
    ("https://webapi.onmicrosoft.com/appuri", 
    "testappid", 
    new Uri("https://webapi.azurewebsites.net"), parameters).Result.AccessToken;

Console.WriteLine(token); //Output: oauth token

var client = new HttpClient
{
    BaseAddress = new Uri("https://webapi.azurewebsites.net/api/")
};

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = client.GetAsync("tenants").Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// Output: {"$type":"System.Web.Http.HttpError, System.Web.Http","Message":"Authorization has been denied for this request."}
Gabriel Smoljar
  • 1,226
  • 2
  • 14
  • 32

1 Answers1

0

Please ensure that the web app is ignore the issue validation and the audience is same as the resource(https://webapi.onmicrosoft.com/appuri", "testappid) you acquire for the access token and this value should be the App ID URI which you can find it on old Azure portal like figure below:

enter image description here

Here is the relative code for setting for the authentication of multi-tenant web API:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Audience = ConfigurationManager.AppSettings["ida:Audience"],
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                     TokenValidationParameters= new System.IdentityModel.Tokens.TokenValidationParameters {
                         ValidateIssuer=false
                     }
                });
Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • My app is configured like that. I could only get my code working by creating a console application and use PromptBehaviour.Always. After accepting the app my integration tests started working from the test explorer since it was using the same native app as the console app. Is there a way to avoid this? Obviously the visual studio test runner cannot show the consent form. – Gabriel Smoljar Dec 13 '16 at 19:29
  • Did you mean that the token already work for the web API? If I understood correctly that you have the issue about using test runner to test the web API which protected by Azure AD, I suggest that you reopen a new thread so that other communities could recognize this issue easily and you would get the helpful answers. – Fei Xue Dec 14 '16 at 09:17
  • I created a new question based on my current findings and your comments. Thank you for your help. http://stackoverflow.com/questions/41146893/how-do-i-test-a-azure-ad-protected-web-api-in-with-visual-studio-test-adapter – Gabriel Smoljar Dec 14 '16 at 15:57