My goal is to create a web service which can be authenticated via OAuth token. The token must be provided by an Azure Enterprise Application via the OAuth Client Credentials flow.
I'm using the MSAL library for getting the token. I did setup the Enterpise Application and the following code works does work and does return a token:
appConfidential = ConfidentialClientApplicationBuilder
.Create(ClientID)
.WithClientSecret("MySecret")
.WithAuthority(authority)
.WithLegacyCacheCompatibility(false)
.Build();
string[] confidentialScope = new string[] { ".default" };
return appConfidential.AcquireTokenForClient(confidentialScope).ExecuteAsync().Result;
The problem here is that here i'm using the .default scope which creates tokens which only can be used with Microsoft Graph. My own webapi service is unable to verify such a token.
I think i must expose a dedicated api endpoint which can be used in this case. I assume i must create a app role for this, but i don't know how i then can Expose the API which is based on an App Role.
I've found the following documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps but when i follow this documentation, there are no items under My APIs when i try to add Permissions.
Is there documentation for setting up an enterprise application/app registration when wanting to authenticate to my own webservice using the client credentials flow?
