1

I had to change my code in order to get a valid token that would allow me to access detailed profile info on an AAD user, using Graph API

However to my dismay eventually realised this token doesn't then allow access to my API which is also hosted on Azure behind AAD?

Is there a method which allows both?

NOTE The problem is with the Resource I pass in the header - it's either for my API, or for Graph, but I surely can't ask the user to log in twice?

What's the solution, other then embedding client secret once Graph Token used to log in ..?

Code sample uses Microsoft.IdentityModel.Clients.ActiveDirectory

Example 1 - this returns a token that I can use for my API but not Graph

authContext = new AuthenticationContext(authority);

PlatformParameters p = new PlatformParameters(PromptBehavior.Auto, hwnd);

AuthenticationResult result = null;

result = await authContext.AcquireTokenAsync(todoListResourceId, clientId, redirectURI, p);

Resource = https://[mywebsite].azurewebsites.net/api/Timekeeper

Example 2 - this gives me a token I can use for GraphAPI, but NOT my AAD API

Resource = https://graph.windows.net/
Improve this question

1 Answer 1

Reset to default
2

You should be able to get an access token for the other API silently.

The user does not need to log in twice :)

AAD returns your app a refresh token, which is actually capable of getting you an access token for any API your app has rights to.

ADAL does this automatically for you.

You need to specify to ADAL that you do not want a prompt for the second one:

var graphTokenResult = await authContext.AcquireTokenAsync("https://graph.windows.net", clientId, redirectURI, new PlatformParameters(PromptBehavior.Never));

PromptBehavior.Never tells ADAL Do not prompt the user, use tokens from your cache.

You can also use PromptBehavior.Auto if you want ADAL to show a login screen if it can't use its cache to get the token.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

Forgive me, kind of new to this, so I get the initial token, which I keep in the cache, but what should the call look like using that token to get me another token for my API .. ?
You should be able to do the first call to get the token for your API as before. Adding this after that should be enough. When I say cache, I mean ADAL's own cache :) Internally it caches all tokens in-memory. So if you later request a token and it finds one in its cache, it doesn't make any calls.
OK, let me clarify - I've manually retrieved that token and put it into Postman and called my API, and received a page that is unauthorised. That only happens when I set Graph as Resource. So what I didn't understand about above is I already have a token in cache, like you say, and I would normally just add it to the header, but I can't since it results in that error. So how should I use the token above to get me a token I can use for API ...?
I'm sorry, I understand now - again, thank you very much!
Nitpicking, for PromptBehavior.Never, if prompting is necessary then the AcquireToken request will fail and never fall back to prompting. Since most people treat the Never like a real-life Never.. which is a soft Never.. Could prompt you one day for credentials.. So you're telling me there's a chance type of deal..
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.