3

I'm tasked with developing a backend service for a web application. I'm using .NET Core 6 and following the Microsoft documentation.

Based on this article (https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios) I figured that my scenario is the "Protected web API" as my API is a REST service. There is a frontend application developed independently which should eventually receive the data from my service. So I created the default WeatherForecast application and started following this tutorial: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview

It now returns the code 401 when I try to test it in Swagger which is expected but how do I acquire a Bearer token for testing it in Postman?

I've never worked with the Microsoft identity platform before and I don't really have much experience with .NET Core either.

Thanks for any help

cs.kali
  • 198
  • 12
  • You can configure swagger to be able to login from swagger ui itself and test your apis: https://dev.to/425show/secure-open-api-swagger-calls-with-azure-active-directory-jj7 – Dimitris Maragkos Aug 15 '22 at 11:29
  • Check this article for how to configure postman to obtain access token from azure: https://dev.to/425show/calling-an-azure-ad-secured-api-with-postman-22co – Dimitris Maragkos Aug 15 '22 at 23:30
  • Thanks for the suggestions. I can see both of the articles require me to set a redirect URI which the tutorial stated that I don't need. Does this mean that it's required anyway for the testing? Once it's working can I remove it? – cs.kali Aug 16 '22 at 05:29
  • Your backend service don't require the redirect URI. But it's required for the client-side (swagger, postman, frontend that will be developed to call your api) – Dimitris Maragkos Aug 16 '22 at 06:38
  • I've tried configuring Postman. I'm using v1.0 token and I can get it. After sending the request the API I get IDX10214: Audience validation failed. Audiences: '00000002-0000-0000-c000-000000000000'. Did not match: validationParameters.ValidAudience: 'api://clientId' or validationParameters.ValidAudiences : 'null'. The article doesn't mention how to set the Audience and and I see that there are Advanced options in Popstman when configuring the token with Resource and Audience fields, I've tried setting both to possible audiences but nothing helped. How can I solve that? – cs.kali Aug 17 '22 at 08:26
  • Try this: inspect the access token (you can use https://jwt.io/) and see what is the "aud" claim value. Then inside AddJwtBearer set JwtBearerOptions -> TokenValidationParameters -> ValidAudience = {value from aud claim} – Dimitris Maragkos Aug 17 '22 at 10:15
  • The aud value is the audience from above which is the Graph API. Here is where I try to add the validation from Program.cs `builder.Services .AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters.ValidAudience = "00000002-0000-0000-c000-000000000000"; }) .AddMicrosoftIdentityWebApi(builder.Configuration);` This results in the following exception when I try to send the request from Postman: System.InvalidOperationException: Scheme already exists: Bearer What am I doing wrong? – cs.kali Aug 17 '22 at 11:44
  • `AddMicrosoftIdentityWebApi` accepts a parameter of type `Action` so set the `TokenValidationParameters` there and remove `AddJwtBearer`. You can't use both `AddMicrosoftIdentityWebApi` and `AddJwtBearer`. `AddMicrosoftIdentityWebApi` actually calls `AddJwtBearer` internally. I didn't know `AddMicrosoftIdentityWebApi` already existed in your code that's why I suggested `AddJwtBearer`. – Dimitris Maragkos Aug 17 '22 at 13:05
  • Sorry for not providing code sooner. Now I don't get any errors in the API but I receive 403 Forbidden response. I was thinking that something is wrong with my scopes so I checked the token again and I see the "scp" claim value to be "Mail.Read offline_access openid User.Read". I don't know if this has anything to do with my issue but it doesn't contain my exposed scope which is api://clientId/access_as_user. But in Postman I've set that scope before requesting the token. Am I missing something here again? – cs.kali Aug 18 '22 at 08:47
  • I don't know, maybe you need to consent to something during login? – Dimitris Maragkos Aug 18 '22 at 10:22

1 Answers1

1

Turned out my approach was wrong. Besides Dimitris' response about setting the ValidAudience property, this post's answer helped me solving my issue: Scope is not being added to Access Token returned from Azure Ad

Thanks

cs.kali
  • 198
  • 12