3

Good day,

I'm trying to fetch data from my ASP.NET Core Web API using Angular MSAL, but I'm having an error in my angular app that says 401 Unauthorized Error.

I tried to get the access_token in the application tab of the browser and use it on Postman, and technically it works. I just got no idea why it throws the Unauthorized 401 error in my angular app.

Here's my app.module.js

export const protectedResourceMap: [string, string[]][] = [
  ['https://graph.microsoft.com/v1.0/me', ['user.read']]
];

const isIE = window.navigator.userAgent.indexOf("MSIE ") > -1 || window.navigator.userAgent.indexOf("Trident/") > -1;

imports: [
// msal angular
     MsalModule.forRoot({
        auth: {
            clientId: 'MYCLIENTID-FROMAD',
            authority: "https://login.microsoftonline.com/common/",
            validateAuthority: true,
            redirectUri: "http://localhost:4200/",
            postLogoutRedirectUri: "http://localhost:4200/",
            navigateToLoginRequestUrl: true,
        },
        cache: {
            cacheLocation : "localStorage",
            storeAuthStateInCookie: true, // set to true for IE 11
        },
        framework: {
            unprotectedResources: ["https://www.microsoft.com/en-us/"],
            protectedResourceMap: new Map(protectedResourceMap)
        },
      }, {
        popUp: !isIE,
        extraQueryParameters: {}
    })
],
providers: [
    {
        provide: HTTP_INTERCEPTORS,
        useClass: MsalInterceptor,
        multi: true
      }
   ],

Here's my ASP.NET Core Web API host: http://localhost:5000

Where it implements [Authorize] in some of its Controllers. I think there's a problem in my backend since everything is working using my access_token from my local storage when I tested it using Postman with authorization header of Bearer access_token.

Browser Application Tab after successfully login

Thank you in advance.

Reza Ahmadi
  • 862
  • 2
  • 11
  • 23
Joker Bench
  • 228
  • 1
  • 6
  • 14

1 Answers1

3

The main thing you are missing in my opinion is the protected resource map configuration. Currently it only defines MS Graph API. You should add your own API there as well:

export const protectedResourceMap: [string, string[]][] = [
  ['https://graph.microsoft.com/v1.0/me', ['user.read']],
  ['http://localhost:5000', ['your-api-client-id/user_impersonation']]
];

Replace your-api-client-id with the client id/application id for your API. You can also use the application ID URI for the API. The last part is the scope, change user_impersonation to a scope you have defined on the API (can be done through Expose an API in Azure Portal).

Now when it sees an HTTP request to http://localhost:5000, it'll know to get a token for it and attach it to the request.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • I did your suggestion and configured my "Expose API" but I get this error: ServerError: AADSTS65005: The application '_CLIENT_ID_HERE' asked for scope 'user_impersonation' that doesn't exist. Trace ID: bf1c22ba-6ee1-4090-ae3a-a77292d58300 Correlation ID: e6ad93a5-51d3-4076-a0fc-487072f2c97c Timestamp: 2020-03-24 08:26:28Z – Joker Bench Mar 24 '20 at 08:30
  • Did you define a scope with that name in your app registration? – juunas Mar 24 '20 at 08:33
  • https://imgur.com/g4q1816 - My Azure Portal Expose API and my browser Application has changed to this https://imgur.com/NU8X1XS – Joker Bench Mar 24 '20 at 08:38
  • Please see images sir – Joker Bench Mar 24 '20 at 08:48
  • You can try replacing `'your-api-client-id/user_impersonation'` with the scope id from Expose an API (the first column value). – juunas Mar 24 '20 at 08:59
  • I already did replace it. https://imgur.com/r84ZKDu Now I receive an error that says, InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: f548caa7-906a-4fd6-9601-7895eac95700 – Joker Bench Mar 24 '20 at 09:01
  • Okay, it could be your user SSO session has been invalidated (you are logged out from AAD). In that case, you'll need to trigger interactive authentication. I can't recall how that was done with the Angular module though; there should be an example somewhere though. – juunas Mar 24 '20 at 09:06
  • 1
    Thank you for the tip and help. I tried to open it using different browser, I'm able to login :)) Thanks a lot! @juunas. God bless + and be safe (you and your family) during this virus pandemic. – Joker Bench Mar 24 '20 at 09:11