Swagger UI will return API data, but my Authorized calls return "permission denied"

Question

So I believe my APIservice should be fine since I can return results through Swagger? I am calling from a WPF project. I launch the program and it asks me to login, then it continues and will tell me I don't have permission.

I'm super green to WebAPI2 and think I may just be constructing my call incorrectly. It does seem that I get a token back correctly from my site, the only issue is when I try to actually call on the API for data.

Here is my code:

public static string clientId = "{#Calling App Id}";
public static string commonAuthority = "https://login.windows.net/{#my Azure AD tenant}";
public static Uri returnUri = new Uri("http://MyDirectorySearcherApp");
const string ResourceUri = "https://{#Api App Service}.azurewebsites.net";

    public static async Task<List<User>> LoadBands(IPlatformParameters parent)
    {
        AuthenticationResult authResult = null;
        List<User> results = new List<User>();

        try {
            //get token or use refresh
            AuthenticationContext authContext = new AuthenticationContext(commonAuthority);
            if (authContext.TokenCache.ReadItems().Count() > 0)
                authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
            authResult = await authContext.AcquireTokenAsync(ResourceUri, clientId, returnUri, parent);

        } catch (Exception ee) {
            throw ex;
        }

        using (var httpClient = new HttpClient()) {
            using (HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, $"{ResourceUri}/api/Band/")) {
                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
                using (var response = await httpClient.SendAsync(request)) {
                    string responseData = await response.Content.ReadAsStringAsync();
                    //responseData always equals "You do not have permission to view this directory or page"
                    return results;
                }
            }
        }

Edit: Maybe helpful to note I'm using a DataAPI that is called by a Rest API, the rest API is secured by Azure AD.

Edit: I'm calling from a Portable Class Library.

Edit: Well, I'm getting authenticated but it does not appear to make any difference. If I completely remove the Auth header I get the same result

Fei Xue · Accepted Answer · 2017-05-26T06:03:40.870

1

It seems that the token is incorrect for the web API which protected by Azure AD. Please check the aud claim in the token which should match the Audience you config in the web API project. You can check the aud claim by parse the token from this site.

And if you still have the problem please share the code how you protect the web API.

Update

If you were using the Express mode like below, you need to acquire the access_token using the app which you associate with the web API.

If you were using the Advanced mode, we should also use the that app to acquire the token and the ResourceUri should matched the value you config in ALLOWED TOKEN AUDIENCES like below:

edited May 26 '17 at 06:03

answered May 25 '17 at 06:00

Fei Xue

14,369
1
19
27

I don't believe I have an audience in my web api project but it is the correct resource ID. I've set my data tier up to only accept calls from the rest tier using service principal as described here: https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-dotnet-service-principal-auth – markokstate May 25 '17 at 06:23
@markokstate You were protect the web API using the **Authentication/Authorization** feature provide Azure app service. Which mode did you config for the web API project, **Express** or **Advanced**? If you were using the **Express** mode, please ensure that you were acquiring the access_token using the app which you associate with the web API. And if you were using the **Advanced** mode, you should also use the that app to acquire the token and the `ResourceUri` should matched the value you config in **ALLOWED TOKEN AUDIENCES**. – Fei Xue May 25 '17 at 09:48
And please also ensure that you didn't have write any code to protect the web API since you have using the Authentication/Authorization feature. – Fei Xue May 25 '17 at 09:49
So I tried to simplify the problem to maybe make it more readily understandable. I removed the service principal layer code and removed the calling web api to the data layer. I was able to get results without authentication, so that was a small victory. Adding the layers back in, as soon as I force the data layer to be authenticated I'm getting the same error as I was before, so I'm thinking maybe the issue resides here. I've created my native client app and the data layer app and given permissions to each from each. Still getting the same error. I dont see allowed token in auth setup. – markokstate May 26 '17 at 00:31
@markokstate It seems that there are some misunderstanding. To make the explanation more clearly, I update the post to contains two figures. Please feel free to let me know if yous still have the problem. – Fei Xue May 26 '17 at 06:03
This has solved my issue for the direct data tier authentication! Thank you so much for your help and concise explanation. I may come back to this thread when I finally expand back to the service auth if I end up in the same boat. Thanks again! All the upvotes! ++++ – markokstate May 26 '17 at 14:38

Swagger UI will return API data, but my Authorized calls return "permission denied"

1 Answers1

Update