I secured some of my ASP.NET Web API using Azure AD as you can see in the code screenshot below:

The strange thing is that sometimes when calling the API in parallel (bulk calls) the client gets an error:

Authorization has been denied for this request

I am unable to detect why it happens only sometimes even if the client re-tries the call with another access token. Is there a way to find/debug the exact reason why? It is maybe because I need to resize the Web/DB(DTU) servers?

CodePudding user response：

Please try to Enable PII logging in the startup.cs file in configure services method to check for the proper error.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }

    // Enable PII logging
    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

    app.UseHttpsRedirection();
    app.UseAuthentication();
    app.UseMvc();
   ...
}        

This error: Authorization has been denied for this request usually occurs when there is audience mismatch or when the audience doesn’t match the one web api is expecting which is set in ValidAudience . The audience can be appid or appIdUri according to the application.

So in place validAudience, please use tokevalidationparameters.validaudiences or ValidAudiences to add both the clientID and the AppIdURI (ap://<appIdUri>) in place of AUDIENCE1 and AUDIENCE2

ValidateIssuer = true,
ValidAudiences = new List<string> 
        {
            "AUDIENCE1",
            "AUDIENCE2" 
        }

with such configuration, the api call can be validated for both the cases.