0

Net core application and Single Page application. I have implemented Authorization code flow for authentication. In SPA users login and call the APIs. This is working as expected. so my WebAPI accepts requests coming from SPA and only authenticated requests such as tokens contains roles. Now I have requirement such that I should add one more controller to the same App which can accept requests from another client app. This client app do not have logged in user. So its kind of service to service call like client credential flow. Now I want to implement second flow. So ultimately my Web API can be called from SPA with authenticated users and from another app without authenticated users. I am trying to implement this and not sure this way its possible or not. The reason being is I have below code in web api

var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
        services.AddMvc(options =>
        {
            options.Filters.Add(typeof(ValidateModelStateAttribute));
            options.Filters.Add(new AuthorizeFilter(policy));
        })
        .SetCompatibilityVersion(CompatibilityVersion.Version_3_0)
        .AddNewtonsoftJson(options => {
            options.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
        });

This says allow only authenticated users in the app. I generated token for my another client app as below

https://login.microsoftonline.com/tenantid/oauth2/v2.0/token

and passed client id, client secret grant_type and scope as api://clientid of webapi. I got token and tried to hit web API but this could not success. It throws error

System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.

I need some help regarding this, first is this possible in first then if possible what is the right way or any thing I am missing here. Can someone please help me. Any help would be appreciated. Thanks

Improve this question

1 Answer 1

Reset to default
1

You need to go to your app registration in Azure AD management portal, find "App roles", and create an app role with allowed member types "Applications". This is an application permission.

Then you need to go the app registration for the client application and add that app permission under API permissions. You will need to then do admin consent to give the permission to the client application.

For integrations between systems where users are not involved, you should always define an application permission. You can have as much or as little granularity as you want, you can have a single app permission that allows access to all endpoints, or you can have permissions per entity type that you expose (similar to MS Graph API).

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks Junnas for the answer. when generating token where no user involved, i should use client credential flow right as i mentioned above. So i should pass client id and client secret of webapi and may I know for scope what exactly I should pass?
Hi Junnas, I am refering joonasw.net/view/defining-permissions-and-roles-in-aad. You have explained very well there. We can set type to Application and we can generate token. my only confusion is will my API accepts token from both(when I say both one is logged in user token and one more is client app token with role but without user info). can you pls confirm this
If you use Microsoft.Identity.Web (and I think you are based on the error message), then yes, it will support both scenarios. And that's correct, you use client credentials flow to get a token as an application with no user involved.
In the above process the "aud" audience in the token will be the application id. If user token and Client Credential token, generated from the different application. If you are enabling audience check in the Token validation then you will have to maintain the expected audience id.
This is working for me. My API's are able to access from ui with lgged inuser and from other client application also without user present. Thanks a lot junnas. Both works
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.