0

I have a azure AD secured web API which I am authenticating using bearer token. The app registration on azure AD and all has been done. I am able to access secured API using bearer token and getting the expected response.

The problem I am facing is I have no clue how to get user info where i can have the organisation name to which user belongs to. I came to know that there is Microsoft Graph API where I can get this details but to access that I need to create another bearer token and than only can access and get the details from MS graph API. I want to access the graph api using same bearer token because I don't want my server to re-authenticate and ask for user credentials. Is this possible?

code I am using to get the access token is :

AuthenticationContext authContext = new AuthenticationContext(
"https://login.microsoftonline.com/<My Tenant Id>");

AuthenticationResult token = authContext.AcquireTokenAsync(<secured web 
api resource id>,<clientId Id>, new Uri(redirectUri),new 
PlatformParameters(PromptBehavior.Always)).Result;

HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new 
AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);

HttpResponseMessage httpResponse = client.GetAsync("Secured Web API 
call").Result;

This works well.

After few lines of code, When trying to access Microsoft graph API, it give No Authorised error code.

Grpah API url : "https://graph.microsoft.com/v1.0/organization

Any help would be highly appreciated.

Deepanshu Sharma
  • 1
  • 2

1 Answers1

0

I want to access the graph api using same bearer token because I don't want my server to re-authenticate and ask for user credentials. Is this possible?

No. A token only works for one API. You do not need to re-authenticate however. You can get a token for MS Graph API using a refresh token, the on-behalf-of grant flow (exchange access token for another in an API), or you can get it via implicit grant flow (if in a front-end JS app).

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Can you please share some link with code reference. I have edited my question with the code I am executing to call my secured web api and graph api. – Deepanshu Sharma Jan 21 '19 at 08:54
  • What kind of app is that? You should be able to call AcquireTokenAsync again with `https://graph.microsoft.com` as the resource identifier, but with PromptBehavior set to something like Never (I can't remember the exact value). – juunas Jan 21 '19 at 09:08
  • It's a native app registration on Azure AD. When calling AcquireTokenAsync again with https://graph.microsoft.com I am able to get the details but is asking for credentials again. What I want is : Once access token for my secured api gets generated, I pass the same token while accessing graph api. There should be some lineage build on AD so that the graph api will use the passed access token and return the response. – Deepanshu Sharma Jan 21 '19 at 09:43
  • 1
    @DeepanshuSharma See this answer https://stackoverflow.com/questions/52896114/use-azure-ad-token-to-authenticate-with-azure-devops/52900915#52900915 for an example of how the secured server (your API) can get an new access token for the signed-in user, for Microsoft Graph. – Philippe Signoret Jan 21 '19 at 11:48