Hiren Desai Hiren Desai - 1 year ago 91
ASP.NET (C#) Question

Azure AD authentication between applications

I have an application let's name it 'Apple' which is registered with Azure AD having delegated rights on Azure Management API application. When requested to this application it creates azure resource ex. storage account automatically and this works fine.

I have another application which is MVC application and it's also registered with same AD tenant. The second application uses following code for retrieving access token:

var clientCredentials = new ClientCredential(ConfigurationManager.AppSettings["AD_ClientID"], ConfigurationManager.AppSettings["AD_Client_AccessKey"]);
var authContext = new AuthenticationContext(string.Format(ConfigurationManager.AppSettings["AD_Tenant_Login_Url"], ConfigurationManager.AppSettings["AD_Tenant_Id"]));
var result = authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["AD_Resource"], clientCredentials);
if (result == null)
throw new InvalidOperationException("Could not get the token");
return result.Result;

The result is an access token having different properties. Now second application, retrives access token with access to resource apple, which it then passes to Apple application in authorization header.

Authorization:bearer TokenString

The Apple application is having Authorize attribute added to controller.
The application is configured with Owin with oauth application with following code

public void ConfigureAuth(IAppBuilder app)
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters

ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]

Please note that the access token is retrieved from second application using its own AppId and Secret key; whereas the other(Apple) application uses its own AppId and secret key for validating the token.

So my problem is, the APPLE application always returns 401 not authorize code

Answer Source

To above, question, the answer was, Resource ID (during token request) and Audience Id (during validation of token in second application) were not matching. Keeping those same solved the problem.

Then I ran into another issue, which I have described here

It seems, If I work with newer Azure Portal (which is still in preview version), the AD token does not include "Roles" field in JWT token. If I follow same procedure in Older Portal for configuring apps, then AD includes "Roles" field in JWT token and scenario executes as expected.

I should avoid using Azure new portal for preview features at least!

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download