Home > Net >  Having problem Authorizing Authenticated user account in Web API
Having problem Authorizing Authenticated user account in Web API

Time:06-22

I'm using ASP.Net Core 6 to build a secured Web API.

HOW I BUILT IT
dotnet new webapi --auth SingleOrg --aad-instance https://login.microsoftonline.com/ --client-id <CLIENT ID> --domain company.onmicrosoft.com --tenant-id <TENANT ID> --calls-graph true -o GraphTestService

APP REGISTRATION OF WEB API
I added a Scope in the Export API "EmployeeRecord.Read"

APP REGISTRATION FOR CLIENT (Public Client)
Added permission for Graph API (User.Read)
Added permission "EmployeeRecord.Read"

HOW I GET TOKEN USING THE CLIENT
I'm using "InteractiveBrowserCredential".

Everything works fine up until the Web service tries to call Graph API. It throws MsalUIRequiredException.

Understandable, since I did not include any graph API permissions when I requested a token.

FINALLY, THE PROBLEM When I inspect the Bearer token that's returned, it has the "EmployeeRecord.Read" scope. Ok, that's fine. The Web API authorizes it; but the token doesn't have any permissions for Graph API.

When I add a graph API permission to the scopes, I get AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://<APP URI ID>/EmployeeRecord.Read https://graph.microsoft.com/User.Read offline_access openid profile is not valid.

If I only include the graph API permission, the Web API returns an Unauthorized error.

WHAT I'VE TRIED In addition to playing with the scopes, I tried adding my client application to the Web API app registration under the "Expose an API / Add A client Application". This made no difference. No difference in token or errors.

CodePudding user response:

You are trying to add scopes for 2 different resource ,the scope parameter cannot be used to specify permissions for multiple resources similar issue .

we recommend you to use MSAL libarry , MSAL will store tokens for you and refresh whenever token is expired. Just call acquireTokenSilent to get an access token silently, and if you get an error, call acquireToken (see details on error handling here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions#msal-for-ios-and-macos-errors)

for more info please check similar issue

Thanks

Page link:https//www.codepudding.com/net/450224.html

Prev:Why calling a private constructor in Kotlin results in error as "Cannot access <init>&quo
Next:problem with translation in Hibernate when select max(column_name)
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding