Bearer error="invalid_token" Signature Invalid after Authorised with Swagger via MSAL Microsoft Azure

Question

I am trying to call the weather forecast endpoint after authenticating via MSAL. (Enabling user authentication in Swagger using Microsoft Identity)

As per this article.

https://www.josephguadagno.net/2022/06/03/enabling-user-authentication-in-swagger-using-microsoft-identity

I have created a default Identity linked API with VS2022. I have configured my client on Azure. The difference in my code is the following

 s.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
    Type = SecuritySchemeType.OAuth2,
    Flows = new OpenApiOAuthFlows
    {
        Implicit = new OpenApiOAuthFlow()
        {
            AuthorizationUrl = new Uri("https://login.microsoftonline.com/common/oauth2/v2.0/authorize"),
            TokenUrl = new Uri("https://login.microsoftonline.com/common/common/v2.0/token"),
            Scopes = new Dictionary<string, string>() { 
                { "user.read", "Access App Graph" },
                { "api://29867508-2243-4ae2-9e04-c740dfe793a2/access_as_user","Access my Api stuff on my Client"}
            }
        }
    }
});

I manage to Authorise via Microsoft Api, and swagger says I am Authorised. But when I try to call the weather forecast api - I am still getting a 401.

Any assistance would be amazing. I am at a loss on what to try next.

Edit. I tried to remove the scope for MS Graph (user.read) and just call the API for my client, I get a 403 error.

But the api is definitely there

I am expecting to see the data and a 200 returned when calling the weather forecast endpoint.

Hi, welcome to StackOverflow. Please avoid posting screenshots of code. It is better to post a code sample. It may get you more help if you read the following then edit your question for clarity. https://stackoverflow.com/help/how-to-ask. Thanks! — tom redfern, Mar 17 '23 at 12:00
Also nowhere in your question do you say *what you are trying to do*. You should generally start with this - it is very difficult to help without this information. — tom redfern, Mar 17 '23 at 12:58
Right at the end I state what I want to do "I am expecting to see the data and a 200 returned when calling the weather forecast endpoint." I filled in the question as was guided by the "Ask a Question" Template — Pippa, Mar 17 '23 at 12:59
That is stating what the outcome you want is. What you are trying to do is call a service running on your local machine — tom redfern, Mar 17 '23 at 12:59
Start with 1. what are you trying to do? 2. what you expect to happen 3. what actually happens. Sorry I don't mean to cause problems, I'm just saying it's difficult to understand in its current form and you may not get the help you need. — tom redfern, Mar 17 '23 at 13:01
@Pippa, can you decode the bearer token that you got and provide here by masking confidential information. — kavyaS, Mar 17 '23 at 13:03
@kavyaS Sorry, I am still new to this. What do you mean by decode? — Pippa, Mar 17 '23 at 13:09
the bearer token that you got, can you paste here https://jwt.ms to decode and see the claims .. — kavyaS, Mar 17 '23 at 13:09

score 1 · Accepted Answer · answered Mar 17 '23 at 14:26

I trust the decoded token can explain the error message, the token had "scp": "User.Read profile openid email" while the correct scope for your api should be "scp": "api://29867508-2243-4ae2-9e04-c740dfe793a2/access_as_user".

The reason for it is, you both set graph api permission(User.Read) and your custom api permission at the same time. They have different audience so the token can only generate for one of the api permission. I'm afraid if you write like below will work(just adjust the order, because when have 2 kinds of api permissions, it will generate token for the first kind of api permission).

Scopes = new Dictionary<string, string>() { 
{ "api://29867508-2243-4ae2-9e04-c740dfe793a2/access_as_user","Access my Api stuff on my Client"}
{ "user.read", "Access App Graph" },
            },

By the way, I had a test long time ago which had the same requirement.

Thank you. I recreated the whole project and it worked. I used the link on your link (https://www.c-sharpcorner.com/article/enable-oauth-2-authorization-using-azure-ad-and-swagger-in-net-5-0/) I see I don't have admin permissions to graph on my server so that was why I was also getting a 403. Very much appreciated! — Pippa, Mar 18 '23 at 03:33

score 1 · Answer 2 · edited Mar 18 '23 at 14:16

1

I used the link on Tiny Wang's link

I recreated the project.

I see I don't have admin permissions to graph on my server so that was why I was also getting issues. Very much appreciated!

I had to grant access to my own Api on the permissions as well. Settings

Thanks for everyone's help.

edited Mar 18 '23 at 14:16

Tiny Wang

10,423
1
11
29

answered Mar 18 '23 at 03:35

Pippa

23
4

Bearer error="invalid_token" Signature Invalid after Authorised with Swagger via MSAL Microsoft Azure

2 Answers2