Azure AD 2.0 application - can't access scope from angular client

Question

I'm trying to develop Angular 4 application and ASP.NET Core 2.0 backend. I have angular application (generated using Angular-cli) and .net core web api (generated using vs 2017 template). On angular side I'm using angular-oauth2-oidc. I registered my application using AzureAD app registration portal (app s registered as v2.0) in the app configuration there is two platforms Web and Web API. In Web api platform there is defined scope named "api:///access_as_user" and my application is given access to this scope.

On angular side that's it. On .NET side there is .AddJwtBearer() method that has configured authority, audience (clientId).

services.AddAuthentication(auth =>
        {
            auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddJwtBearer(cfg =>
        {
            cfg.Authority = "https://login.microsoftonline.com/<tenantId>/v2.0";                
            cfg.Audience = "<clientId>";
            //cfg.Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration();
            cfg.TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateAudience = false,
                ValidIssuer = "https://login.microsoftonline.com/<tenantId>/v2.0"
            };              
        });

The problem occurs when I tried to access my web api from client application. If I don't ask for my scope ("api:///access_as_user") in angular, web api return 401 unauthorized. I I ask for it I get

"AADSTS65005:The application 'Angular-test' asked for scope 'access_as_user' that doesn't exist on the resource. Contact the app vendor.
Trace+ID: c55338dd-35c8-429b-bfe1-5c48ac030d00
Correlation+ID: a0b4bc2d-7f15-4ca4-9cd5-4fe61999e4d9 
Timestamp:+2017-10-24+10:35:56Z""

Anyone has the same/simular issue?

Git repositories:

Client --> branch oidc

Servier

Answer 1

I am able to call the web api by not using the customize scope. Here are the steps for your reference:

1.Acquire the token using the implicit flow like below:

GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&client_id=1e6af2ed-686c-4914-96ed-0cd7b1673cbb&scope=openid&redirect_uri=http%3A%2F%2Flocalhost&nonce=123

2.1 multi-tenant:

Call the .net core web API using the id_token above which protect the Azure AD V2.0 app like code below:

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
        Authority = "https://login.microsoftonline.com/common/v2.0/",
        Audience = Configuration["Authentication:AzureAd:ClientId"],
        Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = AuthenticationFailed
        },
        TokenValidationParameters=new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidateIssuer =false,          
        } 
    });        
});

2.1 limit the tenants as you wanted:

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    Authority = "https://login.microsoftonline.com/common/v2.0/",
    Audience = Configuration["Authentication:AzureAd:ClientId"],
    Events = new JwtBearerEvents
    {
        OnAuthenticationFailed = AuthenticationFailed
    },
    TokenValidationParameters=new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidateIssuer =true,
        ValidIssuers=new string[] { "list the allowed issues here","https://login.microsoftonline.com/xxxxxxxx-0e9b-42f8-8b22-3c4a2f1d8800/v2.0"}
    } 
});

You can refer the code sample below about protecting the web api using Azure AD V2.0 app. The code sample is for Azure AD B2C, we can modify its authority to make it working for Azure AD V2.0 app. And please feel free to let me know if you still have the problem.

active-directory-b2c-dotnetcore-webapi