locked
Some confusion about API permissions in Azure AD RRS feed

  • Question

  • Hello. I'm trying to restrict access to an API  using Azure AD. I've been following this guide to get it set up...
    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis

    I have set up my scopes and granted permissions to another app which I did using the following link...https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

    Finally, I have tried to access my web api as I would in the following guide...

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

    So what I've done so far is...

    Created an application to represent the API and added scopes

    Created an application to represent a client calling the API and granted permissions to the scopes

    Made a request to get an access token to my API

    My request params are as follows...

    POST https://login.microsoftonline.com/XXXXXXXXXXXXXXXX/oauth2/token

    client_id: <App ID in the directory for the client app>

    client_secret:<A secret I generated for this app>

    grant_type: client_credentials
    resource:
    https://xxxxxxxlonmicrosoft.com/db9e27d7-02c1-4597-86b5-1fae160cda8f

    When I send this request I get a token back. The problem is that when I try to send a request for any of the scopes I defined when I exposed my API, I get an error back...

    AADSTS50001: The application named https://xxxxxxxx.onmicrosoft.com/db9e27d7-02c1-4597-86b5-1fae160cda8f/.default was not found in the tenant named xxxxxxxx.  This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.  You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 798a4ac1-2ef8-475c-84c9-c4f20d213800\r\nCorrelation ID: cd448c8e-8a62-417a-9859-af6def67c7f2\r\nTimestamp: 2018-11-21 00:22:45Z

    This happens for any of the scopes and not just ./default. This seems to indicate to me that when I make the request, it is not using the permissions I had set. Furthermore, if I create a new client application and send a request with a valid client ID and secret, I still get a token back even though I haven't set any permissions.

    Any idea what might be going on?
    Thanks

    --Drew


    Wednesday, November 21, 2018 12:30 AM

Answers

All replies

  • Hi Drew,

    I see that you are requesting a V1 token and it does not understand "./default". If you want to get the scopes as defined in ./default then try sending the request to V2 endpoint as described here 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow 

    Wednesday, November 21, 2018 9:40 AM
  • Hello again, Manoj and thanks for the reply. After your last post and from reviewing the docs comparing V1 and V1, I decided that V1 seemed like the better approach. I'm guessing I was just on the wrong track when I tried to use the /.default suffix.

    The main issue I'm having is that I haven't been able to use the permissions I configured for my API. I set this permissions according to guideline provided here:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
    I am also able to register a new client application which can gain an access token using the client ID and secret associated with it even though I haven't set any configurations that should allow it to do that.

    So in summary, I want to be able to configure an API such that only apps that are authorized can gain an access token. My expectation is that when a client request is sent to Azure AD from an app that is authorized, I will get an access token back but when I send a token from an app that is not authorized, I will get some sort of error message.

    Again, thanks for the reply.

    --Drew

    Wednesday, November 21, 2018 4:25 PM
  • Hey Drew,

    When you use a client ID and client Secret Associated with of an app that you have not configured for anything yet, you do get an access token, however, the audience of the access token does not have any specific app/API , but rather, just has Azure Active directory. There would be no roles configured in the access token either, due to which, this access token would not be of much use.

     

    In this case, it looks like you are trying to get a token with an application permission and not a delegated permissions. Delegated permissions are when your application needs to access the API as a signed in user, and not an application that is running like a background service/daemon without a signed in user. 

    Hence, you would first need to publish your API as an application permission for your "client app" to be able to have access to this using app permissions and not delegated permissions. Follow the section which says : Modify your application Manifest to add your own permissions from here

    Setting this up will expose your API to be shown under Application permissions rather than Delegated permissions when adding permission to your API on the client app in Azure AD, which then will allow you to specify the scope field to get an access token with the scope in the role field of the access token.

    References : 

    https://blogs.msdn.microsoft.com/aaddevsup/2018/04/12/implementing-service-to-service-authorization-and-getting-the-access-token-with-postman-utilizing-client-credential-grant-type/

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

    https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary#permissions

     

     

    Let us know if this helps



    Thursday, November 22, 2018 3:57 AM
  • Thanks, Manoj. This was exactly what I needed.
    Tuesday, November 27, 2018 11:51 PM