1 
[Authorize]
    public class ValuesController : ApiController
    {
        // GET api/values
        public IEnumerable<string> Get()
        {
            return new string[] { "Simple" , "Test"};
        }
}

This is a simple "Web API 2" app.

public void ConfigureAuth(IAppBuilder app)
        {
            app.UseWindowsAzureActiveDirectoryBearerAuthentication(
              new WindowsAzureActiveDirectoryBearerAuthenticationOptions
              {
                  Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                  TokenValidationParameters = new TokenValidationParameters
                  {
                      SaveSigninToken = true,
                      ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                  },
              });
        }

As shown the application is using the WindowsAzureActive Directory authentication and Authorization.

Note that it works normally when published to Azure Api App, but always denies the request when in localhost.

I am not sure what happened, it used to work before.

Regards

Improve this question

1 Answer 1

Reset to default
1

Normally this is due to a mismatch in the audience you expect in the web API (the value you set via ValidAudience) and what you get in the incoming token. The value in the token reflects the resource identifier you used when requesting the token from the client. Do you change the client code to request a different audience when calling the localhost instance vs the Azure API one? Also, how do you publish the API to Azure? If you use VS, and in the Publish wizard settings you have the checkbox "use organizational auth" checked, the deployed web API will have a different audience value in its web.config.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yes, I found out this is the case. But I am not sure I fully understand this, because on Azure it works as is. But localhost it doesn't. It only works if I change the Audience to the same as the App Uri from the azure portal. Now I am stuck that login from SPA fails since it needs the audience same as the ClientId and not the App Uri. any ideas here?
Instead of validAudience, please use torknvalidationparameters.validaudiences (plural) and add there both the clientID and the app id uri
I didn't notice that this is actually you; thanks and great work in AAD; amazing Build session

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.