Authorization obtaining was denied for this request in Fiddler with Azure AD
I created an ASP.Net Web API (.Net Framework) application with "Work or School Accounts" as the authentication type. This automatically registers this API app with my Azure subscription and I can see it under "App Registrations" . I can see that the homepage url points to localhost address . I can see the API is running locally to the localhost address. Then I run Fiddler to get an access token from Azure AD. My POST request for an endpoint https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token
. has the following 4 parameters
grant_type=client_credentials
&client_id=<appid from Azure AD Portal>
&client_secret=<secret from Azure AD Portal>
&resource=<appid from Azure AD Portal>
I am returning a token. When I decode this token, I see aud
and appid
as expected (the corresponding appid in Azure AD). I am using this token as a bearer token to invoke an API call by adding a header Authorization: Bearer <mytoken>
in the GET request to https://localhost:44374/api/values
. However, this GET call to my API returns me an error {"Message":"Authorization has been denied for this request."}
.
What am I missing?
source to share
You have to use App ID URI
as value resource
when purchasing a token, you can find App ID URI
in the Properties
application api on the azure portal, for example https://xxxxx.onmicrosoft.com/WebApplicationName . The web api will check if the request aud
in the access token matches the one you set in web.config:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
ida:Audience
The value in web.config is a valid audience.
source to share