So I'm using postman with the OAuth 2.0 process to try to authenticate against my WebApi over Azure Active Directory. I am still on the default project with the basic ValuesController, just trying to get authentication and authorization to work.
I've followed this video to setup postman, and as far as I can tell, I've configured the new applications in active directory as described.
The token exchange is working. And the Authorization Bearer {token} is being sent correctly. Here is an example token:
{Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyIsImtpZCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyJ9.eyJhdWQiOiJodHRwczovL2J1Y2tldHMub25taWNyb3NvZnQuY29tL2J1Y2tldHMtcmVzdC1hcGkyMDE2MDkwMzEwNDAzMSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzIwYmI2ZmEwLTU0OTItNDk0My05MjkwLWRiMWJkMTU3YjFkMS8iLCJpYXQiOjE0NzM5MTg3MDAsIm5iZiI6MTQ3MzkxODcwMCwiZXhwIjoxNDczOTIyNjAwLCJhY3IiOiIxIiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjlkZWVmMWFlLWU0MmYtNDg4ZC04MmY3LWUwMWRjYzNkMzE5NyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiSWppZGFraW5ybyIsImdpdmVuX25hbWUiOiJBeW8iLCJpcGFkZHIiOiI3MC4xNzMuNDAuMjIiLCJuYW1lIjoiQWRtaW4iLCJvaWQiOiJmMTljY2Q5ZC1iMDZhLTQ0MGUtYmE3Ni05NWRjNGE4NDY3ZjEiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJMMHkzeUVwRGdRMHV2MG0wZWNKcFFIeVpZNHkzYTk3UUpnNGl6WlpzZmNVIiwidGlkIjoiMjBiYjZmYTAtNTQ5Mi00OTQzLTkyOTAtZGIxYmQxNTdiMWQxIiwidW5pcXVlX25hbWUiOiJhZG1pbkBidWNrZXRzLm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6ImFkbWluQGJ1Y2tldHMub25taWNyb3NvZnQuY29tIiwidmVyIjoiMS4wIn0.NXpvslBXOpRNkmWQqj7XqVzloS3KoeSqPIlo-yUPGYkZ4bHPrAH6yD4sxMYz-19VIPFRDUMP-5h5hmaMKmuykjNUltz6wejQT9f4IeV6i7VtP3BlkfASZeAdKAiSjKh6ydV8PuJjV2HHh2WvxIKC3QQXzROwWAdeXLcgMTiKSBMULzFV8BsecgtI86_L2OISgbQZ2LgF137EPJoG7C4L1IO-10T1QIVl-Emy6AS0VKVxdzjCgiT-DFtccxME6n1CruoDy6mTKztcAkiFR1IlgY6Fvj-Y_goMQyxA5sCRebWnOQ5jeUKv4KNyNWOLJU_RiZYe0kj4IT3KDc9jjtHykg}
However, even though I get the token successfully and when I step through the debugger in VS, I see the token coming in, Authorization is failing. I get the following response:
{"Message":"Authorization has been denied for this request."}
The issue seems to be on the server side. When I override IsAuthorized to return true, it works.
In Azure, both applications are in the same directory with delegate permissions on.
Are there any logs I can check to see the exact denial reason? From there I can probably figure out what is going on.
I've turned on tracing, with:
// Web API configuration and services
var traceWriter = config.EnableSystemDiagnosticsTracing();
traceWriter.IsVerbose = true;
traceWriter.MinimumLevel = TraceLevel.Debug;
But it's not really telling me why I get the denial.
The authenticated client isn't authorized to use this authorization grant type. This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD.
Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. This indicates the resource, if it exists, has not been configured in the tenant.
This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. The account must be added as an external user in the tenant first.
PassThroughUserMfaError - The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant. This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD.
So it looks like the Azure AD Directory was somehow corrupted. I think maybe something went wrong with an original concept app that I created. For whatever reason, I cannot delete that app in the Azure portal, and thus can't delete the directory itself.
However, creating a brand new directory, unfortunately, seemed to fix it. I followed all of the same directions.
The only difference, is I added the following to the Web.config: <add key="owin:AppStartup" value="buckets_api.Startup"/>
. Whereas, last time I added: <add key="owin:AutomaticAppStartup" value="false"/>
to address an api startup issue I encountered with the new template. However, I don't believe that is what resolved the issue.
On a side note, I also noted that Chrome was unable to complete the token exchange in the popup browser without me re-launching the app as admin. I'm not sure if that was also related, as I was getting tokens before, so I don't think so. But I want to document what worked for me in its entirety, in case someone else encounters this in the future.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With