1

I have an SPA that authenticates a user, by using msal.js, against an app registrered at the Application Registration Portal. It successfully retrieves a token and everything is fine so far.

Then I have a ASP.NET Web API setup that should use the token from the SPA to make requests to Microsoft Graph on behalf of the user and this is where I run into trouble.

So far I've set up a OWIN middleware on the API that should validate the token before making a request to the graph but no matter what I try it's always invalid. I've tried UseOpenIdConnectAuthentication, UseOAuthBearerAuthentication and UseJwtBearerAuthentication but still no success. The SPA and the API uses the same Client ID and the issuer is set to https://login.microsoftonline.com/common/v2.0.

I've read a lot of SO questions and samples from MS but nothing seems to address this specific setup. According to this I at least think it is possible?

Here is the nuget packages I'm using:

  <package id="Owin" version="1.0" targetFramework="net452" />
  <package id="Microsoft.Owin" version="3.1.0" targetFramework="net452" />
  <package id="Microsoft.Owin.Security" version="3.1.0" targetFramework="net452" />
  <package id="Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net452" />
  <package id="Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net452" />
  <package id="Microsoft.Owin.Security.OpenIdConnect" version="3.1.0" targetFramework="net452" />

Am I using the correct packages, and is it even possible to set it up this way? Would love some pointers on what I'm doing wrong.

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
1

This problem is precisely solved by the "OAuth 2 On-Behalf-Of flow". This is documented for the AAD V2 App Model here.

The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Turns out I hade messed up the token validation in the API, but your link was a major help in setting up the On-Behalf-Of flow correctly! Thanks a lot!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.