0

I'm a bit confused, I have the following implementation:

ASP.net API protected using Azure AD, and users with Admin role only can call this API, these roles are configured in Azure AD and assigned to users. the API has one defined scope AccessApi.

Scopes  Who can consent     Admin consent display name     User consent display name   State 

api://xx  User              AccessApi                      AccessApi                 Enable

The client application developed in WebAssembly blazor is registered and protected in Azure AD without roles, its configured to use AccessApi scope from my Api.

API / Permissions name  Type       Description   Admin consent required    Status
myApi (1)   

AccessApi              Delegated     AccessApi              No

My confusion is do I need to assign an Admin role for the client application to obtain token which will be used to access the API or the API scope accessApi is enough without any roles?

knowing that users of the client app are the same users of the API just with different roles.

Since same users use both API and client App, is it possible to use MS Graph by client App to get JWT token and use that token to call the API?

ikenahim
  • 331
  • 1
  • 3
  • 15

1 Answers1

1

If you want to control the user's access to the api based on the role, then you can use appRole. Set the appRole of the application and then assign the appRole to the user, then only the user who is assigned the appRole can access the api.

enter image description here

Next, go to the enterprise application and assign appRole to the user.

enter image description here

enter image description here

In addition, never try to use the token of ms graph api to call your custom api. These are two completely different api resources, and you need to request different tokens for different api resources!

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • By the way, it is your api application that creates the app role. – Carl Zhao Apr 27 '21 at 01:57
  • Thanks for your reply, I have already approles created and assigned to users, my confusion was do I need to add Approle to the client application as well or not ? – ikenahim Apr 28 '21 at 07:08
  • So basically, the client application needs only access to scope defined in the Api? – ikenahim Apr 28 '21 at 07:10
  • @ikenahim Let me think about it, you should add app role as a permission to the client application. Wait a moment, I will go to Azure ad to take a look. – Carl Zhao Apr 28 '21 at 07:13
  • @ikenahim I just looked at it, the app role of the api application does not need to be added to the client application. You only need to add the `scope name` of the api application as a delegated permission to the client application. – Carl Zhao Apr 28 '21 at 07:18
  • Thanks a lot, I have this implementation in place. I thought I was missing something since my Api keeps returning 401 an authorized access when I call my Api from the client application when a user sign in. I thought I missed something in Azure AD configuration. but its clear now :) – ikenahim Apr 28 '21 at 07:21
  • @ikenahim Yes, but you need to assign the app role created by the api application to the users who need to access it. As described in my answer. – Carl Zhao Apr 28 '21 at 07:22
  • Yes that already has been done and I tested in swagger. And works perfect. – ikenahim Apr 28 '21 at 07:23
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/231685/discussion-between-carl-zhao-and-ikenahim). – Carl Zhao Apr 28 '21 at 07:24
  • @ikenahim Okay, so do you need other help? – Carl Zhao Apr 28 '21 at 07:25
  • @ikenahim If the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions. See: https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – Carl Zhao Apr 28 '21 at 07:30
  • Thank this question was part of another question if you can look it at : https://stackoverflow.com/questions/67214366/webassembly-razor-client-app-return-401-while-calling-a-protected-api-in-azure-w :) – ikenahim Apr 28 '21 at 07:33
  • @ikenahim Okay, let me take a look. – Carl Zhao Apr 28 '21 at 07:33