C
C#17mo ago
Cutter

❔ Can't access Microsoft Graph. What part am I not understanding clearly?

I will give my steps. The code. and the problem. Step 1. Login using Swagger UI [See Images] Step 2. Run My Get Method to get the User. My Problem I receive this error [See Images] 
Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: 'IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. '
Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: 'IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. '
My Code StartUp.cs - Swagger UI 
 scopes.Add($"user.read", "Access application on user behalf");

                c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
                {
                    Name = "oauth2",
                    Scheme = OpenIdConnectDefaults.AuthenticationScheme,
                    BearerFormat = "JWT",
                    Type = SecuritySchemeType.OAuth2,
                    Flows = new OpenApiOAuthFlows
                    {
                        Implicit = new OpenApiOAuthFlow()
                        {
                            AuthorizationUrl = new Uri("https://login.microsoftonline.com/common/oauth2/v2.0/authorize"),
                            TokenUrl = new Uri("https://login.microsoftonline.com/common/common/v2.0/token"),
                            Scopes = scopes
                        },

                    },
                });

                c.AddSecurityRequirement(new OpenApiSecurityRequirement() {
                {
                        new OpenApiSecurityScheme {
                            Reference = new OpenApiReference {
                                Type = ReferenceType.SecurityScheme,
                                Id = "oauth2"
                            },
                            Name = "oauth2",
                            In = ParameterLocation.Header,
                        },
                        new List <string> ()
                    }
                });
 scopes.Add($"user.read", "Access application on user behalf");

                c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
                {
                    Name = "oauth2",
                    Scheme = OpenIdConnectDefaults.AuthenticationScheme,
                    BearerFormat = "JWT",
                    Type = SecuritySchemeType.OAuth2,
                    Flows = new OpenApiOAuthFlows
                    {
                        Implicit = new OpenApiOAuthFlow()
                        {
                            AuthorizationUrl = new Uri("https://login.microsoftonline.com/common/oauth2/v2.0/authorize"),
                            TokenUrl = new Uri("https://login.microsoftonline.com/common/common/v2.0/token"),
                            Scopes = scopes
                        },

                    },
                });

                c.AddSecurityRequirement(new OpenApiSecurityRequirement() {
                {
                        new OpenApiSecurityScheme {
                            Reference = new OpenApiReference {
                                Type = ReferenceType.SecurityScheme,
                                Id = "oauth2"
                            },
                            Name = "oauth2",
                            In = ParameterLocation.Header,
                        },
                        new List <string> ()
                    }
                });
Startup.cs - Add Microsoft Web Identity I Have multiple authentication Schemes 
            services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd", OpenIdConnectDefaults.AuthenticationScheme)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddMicrosoftGraph(Configuration.GetSection("DownstreamAPI"))
                .AddInMemoryTokenCaches();
            services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd", OpenIdConnectDefaults.AuthenticationScheme)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddMicrosoftGraph(Configuration.GetSection("DownstreamAPI"))
                .AddInMemoryTokenCaches();
My Controller Method Called 
        [HttpGet]
        [Route("microsoftgraphauth")]
        [AuthorizeForScopes(AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme, Scopes = new string[] { "microsoftgraphauth" })]
        public async Task<ActionResult> MicrosoftGraphAuth()
        {

            try
            {
                var accessToken = Request.Headers[HeaderNames.Authorization];

                User user = await graphServiceClient.Me.GetAsync(r => r.Options.WithAuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme));
            }
            catch (Exception ex)
            {
                if (ex.InnerException is MsalUiRequiredException challengeException)
                {
                    tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(new string[] { "User.Read" }, challengeException, authenticationScheme: OpenIdConnectDefaults.AuthenticationScheme, Response);
                }
            }

            return Ok();
        }
        [HttpGet]
        [Route("microsoftgraphauth")]
        [AuthorizeForScopes(AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme, Scopes = new string[] { "microsoftgraphauth" })]
        public async Task<ActionResult> MicrosoftGraphAuth()
        {

            try
            {
                var accessToken = Request.Headers[HeaderNames.Authorization];

                User user = await graphServiceClient.Me.GetAsync(r => r.Options.WithAuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme));
            }
            catch (Exception ex)
            {
                if (ex.InnerException is MsalUiRequiredException challengeException)
                {
                    tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(new string[] { "User.Read" }, challengeException, authenticationScheme: OpenIdConnectDefaults.AuthenticationScheme, Response);
                }
            }

            return Ok();
        }
I do not get it. I have signed the user in and asking for permission for the scope User.Read? What am I missing? I am very fustrated and have been at this for a week straight. Thank you for your time 🙂
5 Replies
Cutter
CutterOP17mo ago
My Json Config 
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "trublue.api.onmicrosoft.com",
    "TenantId": "common",
    "ClientId": "<Id>",
    "ClientSecret": "<Secret>",
    "ClientCapabilities": [ "cp1" ],
    "CallbackPath": "/apitest/oauth2-redirect.html",
    "Scopes": "User.Read"
  },
  "DownstreamAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  },
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "trublue.api.onmicrosoft.com",
    "TenantId": "common",
    "ClientId": "<Id>",
    "ClientSecret": "<Secret>",
    "ClientCapabilities": [ "cp1" ],
    "CallbackPath": "/apitest/oauth2-redirect.html",
    "Scopes": "User.Read"
  },
  "DownstreamAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  },
Omnissiah
Omnissiah17mo ago
do you necessarily want to use the implicit flow?
Cutter
CutterOP17mo ago
Well I will be communicating with a front end app with my web api. What do you think is best? I want to be able to sign the user in and get permission to use Microsoft graph scopes
Omnissiah
Omnissiah17mo ago
maybe you can also try asking on the azure discord server btw, or the powpco
Accord
Accord17mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server