0

I am attempting to access a secure .net core 3.1 Web API via an Angular 9 front-end. I used the Angular 9 code sample from the MSAL Angular repo.

I can successfully sign in using my own Azure AD App Registrations, but when calling my endpoint (decorated with [Authorize]), I get a 401 in my frontend, as well as in postman (expected).

My Angular Interceptor doesn't even add the bearer token in the request to the API because the getScopesForEndpoint() returns null for the request: 

let scopes = this.auth.getScopesForEndpoint(req.url);
console.log(scopes); 
// scopes is null here.

If I hard-code the scopes into the interceptor like this: 

scopes = [
    "user.read",
    "openid",
    "profile",
    "api://[My API ID]/weatherforecast"
];

I receive this error:

InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the 
application with ID '[MY APP CLIENT ID]' named '[MY APP]'. Send an interactive 
authorization request for this user and resource.

I followed this tutorial here: Tutorial and I configured my Azure AD to be very similar to this. The only major change was that I allowed MutiTenant instead of SingleTenant:

Azure1

My Angular app doesn't seem to be registered with the API, according to the error, but I thought that is what this was in Azure AD:

azure2

Am I missing a step in allowing my app to call my API's authorized endpoint? Here is a post, Very similar to the setup that I followed Related SO Post. The only difference is that my Web API is on https://localhost:44381/weatherforecast instead of being deployed to Azure. The accepted answer doesn't seem to help with my scenario. Also another very similar post here: Related SO Post 2 but the answer talks about a Cors issue, which is not relevant.

Improve this question

1 Answer 1

Reset to default
1

In your front-end AD app, you need to add the Delegated permission instead of Application permission.

If you have not define a Delegated permission for your Web API App, navigate to it in the portal -> Expose an API -> Add a scope, follow this link to expose an API Delegated permission.

enter image description here

Then in your front-end AD app, add the delegated permission.

enter image description here

After add the permission, click the Grant admin consent for xxx button, it means the admin consent for the permission for the user just in your AAD tenant.

Note: if your app is a multi-tenant app, and the user who login to the app is in another AAD tenant, it needs the admin of that tenant consent the app, just let the global admin of that tenant to login the app, consent the permission. After the consent, other users in that tenant will also be able to login.

In your code, the authority need to be https://login.microsoftonline.com/common, then in the scopes of the request, it need to include the delegated permission scopes: ["<Application ID URI>/<Scope name>"], in my sample, it is scopes: ["api://xxxxxxx/Test.test"].

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.