0

I am migrating from ADAL to MSAL then getting the Unauthorized error when passing token into my api. (using React and .NET core ( .NET core 2.1 framework)

  1. UIClient application is already registered then I have added SPA and add redirecturl.
  2. Registered API application has added UIClient ClientId into Expose API -> Authrozied client application
  3. MSAL is able to generate the token.
  4. Sending token to API (using .Net core 2.1 framework)
  5. Failed in authorizing the token, getting 401 unauthorized error from API code.

appsetting.json file contain setting

AzureAd{
   Authority: "https://login.microsoftonline.com/common",
   ValidClientIds: ["Guid1","Guid2"],
   "AllowedIssuers: ["stsurl1","stsurl2"]
}

Startup.cs code

services.AddAuthentication(opt => {opt.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;}).AddAzureAdBearer(opt2 => configuration.Bind("AzureAd", opt2)); ```
a_developer
  • 1
  • 2
  • I'm not 100% sure as it's being a while since the last time I work with ADAL and MSAL, but I think the error is because you're not passing the AUDIENCE parameter, which is a GUID format, rather than a URL. – Thiago Custodio Jul 29 '22 at 13:33
  • can you please suggest me where should I add audience? – a_developer Jul 29 '22 at 17:59
  • take a look in here https://stackoverflow.com/q/69199603/1384539 – Thiago Custodio Jul 29 '22 at 18:18
  • This might be an issue with the scopes you are passing on MSAL. Can you decode the accessToken acquire both with ADAL and MSAL, decode them on https://jwt.ms and look for differences? Are the "aud" and "scp" claims the same in both accesTokens? – Sérgio Correia Jul 30 '22 at 17:27
  • Thanks @SérgioCorreia for response. In both token aud is diffrent. With adal getting correct aud but in MSAL getting 00000003-0000-00...... Where am I wrong? – a_developer Aug 01 '22 at 07:26
  • what are the scopes that you are passing when you try to acquire the access token? That aud means that you are getting an access token for MS Graph, so there is definitely something wrong with the scopes you are using – Sérgio Correia Aug 02 '22 at 16:57

1 Answers1

0
  • Please check if the audience is matching the clientId of the application of the token is decoded in https://jwt.ms/. Audience mmatch the client iD and sometimes it maybe AppId URI of the app i.e; something like api://<clientId>.So please try checking for the same by changing or also including clientId as both clientId and appId uri or allowing both audiences.
  • Also if thats not the issue try changing accessTokenAcceptedVersion property of the in the Web API app manifest in azure ad portal to 1 or null if it is 2 or change to 2 if it is already 1 or null.
  • Also please make sure that the scope of your web api (api:///) which is exposed after giving api permissions is granted admin consent either from portal itself or check with the admin .
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Compared msal and adal aud, both are different. Adal is giving correct one but MSAL is giving 00000003-000...... What is wrong I am passing from MSAL? Is there any ado configuration issue? – a_developer Aug 01 '22 at 07:22
  • aud value of 00000003-0000-0000-c000-000000000000 is for Microsoft Graph API,which will get MS Graph token.To call your backend api which is not graph api, make sure you provide scope that particular backend api and grant admin consent .You can check [this](https://dev.to/czmiel24/configuring-scopes-in-azure-active-directory-part-1-3bio) blog for guidance. Also this [SO ref](https://stackoverflow.com/questions/70978170/azure-ad-authentication-with-net-core-web-api#:~:text=In%20the%20Azure%20Portal%20I%20navigated%20to%20Azure,in%20step%202.%20Then%20select%20%22Grant%20Admin%20Consent%22) – kavyaS Aug 01 '22 at 14:08