I am using ASP.NET Core Web API 3, authorization code flow against AzureAD v2 + PKCE.
When I get the acess_token within my controller and then try get a user photo via DelegateAuthenticationProvider, I receive NoPermissionsInAccessToken Message: The token contains no permissions, or permissions can not be understood.
Does anyone know ho wit can be fixed?
When I decode the access_token - the scopes are there.
Here is my code.
var token = await HttpContext.GetTokenAsync("access_token");
var delegateAuthProvider = new DelegateAuthenticationProvider(
(requestMessage) => {
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer",token);
return Task.FromResult(0);});
var graphClient = new GraphServiceClient(graphAPIEndpoint, delegateAuthProvider);
var content = await graphClient .Me.Photo.Content.Request().GetAsync();
Edit - Auth code:
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority = options.Authority + "/v2.0/";
options.ResponseType = OpenIdConnectResponseType.Code;
options.ClientSecret = "secret";
options.UsePkce = true;
options.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;
options.Scope.Add("offline_access");
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.Scope.Add("user.read");
var graphAPIScopeAll = "https://graph.microsoft.com/User.Read";
options.Scope.Add(graphAPIScopeAll);
options.SaveTokens = true;
});
Thank you in advance for your help.
