1

I am trying to do an app registration authorization for an ASP.NET Core 6 Web API. I get a token using the app registration credentials and authenticated to the API. The token validation seems to be working but I get a 401-Unauthorized error with no information. In Postman is shows up as an invalid token.

Here is my client setup to get the token

var keyValues = new List<KeyValuePair<string, string>>
                {
                    new KeyValuePair<string, string>("tenant_id", tenant_id),
                    new KeyValuePair<string, string>("client_id", client_id),
                    new KeyValuePair<string, string>("client_secret", client_secret),
                    new KeyValuePair<string, string>("scope", scope),
                    new KeyValuePair<string, string>("grant_type", "client_credentials")
                };

var c = new FormUrlEncodedContent(keyValues);
tokenUrl = "https://login.microsoftonline.com/"+tenant_id+"/oauth2/v2.0";

var call = await client.PostAsync(tokenUrl + "/token", c);}

The Web API appsettings.json setup matches the token parameters

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com",
        "Domain": "<domain>",
        "TenantId": "<tenant>",
        "ClientId": "<clientId>",
        "ClientSecret": "<clientSecret>",
        "Roles": "api://<role>"
      },
}

The API is using the new call to get the parameters from the appsettings.json.

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddMicrosoftIdentityWebApiAuthentication(configuration);

The API is getting hit and validating the token:

Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: '<audience>'
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10245: Creating claims identity from the validated token: '<claims>'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10241: Security token validated. token: <'token>' `

My client is getting back a 401 - Unauthorized with no other information.

Endpoints are getting hit with no authorization.

The controller never hits the Get in the route with authorization on. The app registration has the API Permission set and has the admin consent.

I have been working with Microsoft on this and what seems like a straight forward authentication has us both stumped.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
B Thornton
  • 51
  • 3

1 Answers1

3

Turns out that the solution was the order in which the authorize and authenticate were in the startup. I had to change the order of these 2 lines in the startup and things started working. The following is the correct order.

app.UseAuthentication();
app.UseAuthorization();
B Thornton
  • 51
  • 3