C
C#14mo ago
stayclaxxy

❔ Calling an Azure AD protected Web API endpoint from an Azure AD protected Web App [.NET 7]

I am having trouble getting the correct flow/configuration to call my Web API Endpoint that is protected with Azure AD. This is how the Authentication is configured on the web API currently: 
builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAd");
builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAd");
The Configuration just has the details like clientId, TenantId, Domain, Audience and secret, etc. This is how I am setting up authentication on the web app: (the only scope is an expose API from the API App registration named "WeatherForecast") 
string[] initialScopes = new[] { "api://33..38/WeatherForecast" };

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
    .AddInMemoryTokenCaches();
string[] initialScopes = new[] { "api://33..38/WeatherForecast" };

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
    .AddInMemoryTokenCaches();
My question is, how do I get the access token to add to the authorization header to call my web api endpoint? The endpoints are role-based based on the user's roles, so is On-Behalf-Of flow the correct flow to use here? If so, I have looked at Microsoft's examples, and I am still very confused on how to achieve what I want to do. TIA!
5 Replies
0xDEADBEEF
0xDEADBEEF14mo ago
you don't need to do it manually. when you call with IDownstreamAPI, it'll resolve the scope with the associated named api
The endpoints are role-based based on the user's roles, so is On-Behalf-Of flow the correct flow to use here?
Oh missed this bit. I'm mainly familiar with client credentials flow
stayclaxxy
stayclaxxyOP14mo ago
I'm not familiar with IDownstreamAPI, could you link the docs by chance? I was just trying to get the access_token manually via the HttpContext, but when I use GetTokenAsync("access_token") it always returns null, and I've injected the HttpContext into my controller.
0xDEADBEEF
0xDEADBEEF14mo ago
These might be good resources https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0 and https://github.com/AzureAD/microsoft-identity-web/wiki/adding-call-api-to-web-app
GitHub
v2.0
Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C - AzureAD/microsoft-identity-web
GitHub
adding call api to web app
Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C - AzureAD/microsoft-identity-web
stayclaxxy
stayclaxxyOP14mo ago
ironically, i've already read these haha. I wasn't going the IDownstreamApi route, and was just going to call the API using an injected httpclient. I am also kind of wondering if my azure registrations are incorrect, i'm not an azure guru sadly, and just trying to learn as I go
Accord
Accord14mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server