All geek questions in one place

Failed to get carrier token from Azure AD for use with API application

I have an MVC application that needs to access a private API in Azure that is protected by Azure AD authentication. So I need to get the Azure AD token, pass it to the token Zumo-Authand use it to access the API application.

I am going through this tutorial and everything works fine until I need to request a token from authContext. Here is the code snippet:

var authContext = new AuthenticationContext(
    "https://login.microsoftonline.com/MyADDomain.onmicrosoft.com");

ClientCredential credential = new ClientCredential(
    "04472E33-2638-FAKE-GUID-F826AF4928DB", 
    "OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc=");

// Get the AAD token.
var appIdUri = 
    "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad";

//var appIdUri = "https://MyADDomain.onmicrosoft.com/MyAppName";
//var appIdUri = "https://MyADDomain.onmicrosoft.com/";
//var appIdUri = "https://graph.windows.net";

AuthenticationResult result = 
    authContext.AcquireToken(appIdUri, credential); // <-- can't get the token from AD

// downhill from here
var aadToken = new JObject();
aadToken["access_token"] = result.AccessToken;
var appServiceClient = new AppServiceClient(
    "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/");

// Send the AAD token to the gateway and get a Zumo token
var appServiceUser = await appServiceClient.LoginAsync("aad", aadToken);

Line c authContext.AcquireToken(appIdUri, credential)is the cause of the problem.

If as a quality appIdUriI give https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad, I get an exception:

400: AdalServiceException: AADSTS50001: https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad ' .

Reply Url AD

Azure AD app response URI

https://MyADDomain.onmicrosoft.com/MyAppName https://MyADDomain.onmicrosoft.com/ appIdUri, :

400: AdalServiceException: AADSTS50105: '04472E33-2638-FAKE-GUID-F826AF4928DB' 'https://MyADDomain.onmicrosoft.com/MyAppName

400: AdalServiceException: AADSTS50105: '04472E33-2638-FAKE-GUID-F826AF4928DB' 'https://MyADDomain.onmicrosoft.com/

App ID URI AD: https://MyADDomain.onmicrosoft.com/MyAppName '' https://MyADDomain.onmicrosoft.com/ '. Reply Url.

https://graph.windows.net appIdUri - . ( 1 ). . 401-Unauthenticated API.

?

+4
1

, : Azure API -, Azure Active Directory

  • Azure API Api,
  • API Azure App Service.
  • API Azure Active Directory.

, , , , , using Microsoft.IdentityModel.Clients.ActiveDirectory, Async.

AAD

class Program
{
    static void Main(string[] args)
    {
        var authContext = new AuthenticationContext(Constants.AUTHORITY);
        var credential = 
            new ClientCredential(Constants.CLIENT_ID, Constants.CLIENT_SECRET);
        var result = (AuthenticationResult)authContext
            .AcquireTokenAsync(Constants.API_ID_URL, credential)
            .Result;
        var token = result.AccessToken;
        Console.WriteLine(token.ToString());
        Console.ReadLine();
    }
}

AUTHORITY. https://login.microsoftonline.com. - . portal.azure.com, Gateway "" > "" > " Active Directory" > " ". - bigfontoutlook.onmicrosoft.com.

CLIENT_ID. , Azure Active Directory. manage.windowsazure.com > Active Directory > Your Directory > > > . , , Active Directory Azure ID .

CLIENT_SECRET. / , .

API_ID_URL. blade- Gateway -API, "" > "" > "Azure Active Directory" > URL- .

, .

class Constants
{
    public const string AUTHORITY =
     "https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/";

    public const string CLIENT_ID = 
      "0d7dce06-c3e3-441f-89a7-f828e210ff6d";

    public const string CLIENT_SECRET =
      "AtRMr+Rijrgod4b9Q34i/UILldyJ2VO6n2jswkcVNDs=";

    public const string API_ID_URL = 
      "https://mvp201514929cfaaf694.azurewebsites.net/login/aad";
}

JWT

, JWT.

{
 typ: "JWT",
 alg: "RS256",
 x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
 kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
 aud: "https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad",
 iss: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
 iat: 1442346927,
 nbf: 1442346927,
 exp: 1442350827,
 ver: "1.0",
 tid: "0252f597-5d7e-4722-bafa-0b26f37dc14f",
 oid: "5a6f33eb-b622-4996-8a6a-600dce355389",
 sub: "5a6f33eb-b622-4996-8a6a-600dce355389",
 idp: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
 appid: "0d7dce06-c3e3-441f-89a7-f828e210ff6d",
 appidacr: "1"
}.

. , .

, :)

Connecting Points with Azure ADD

+7

Source: https://habr.com/ru/post/1607489/

More articles:


All Articles