Authorization has been denied for this request - Azure Active Directory - What logs are available?

Question

So I'm using postman with the OAuth 2.0 process to try to authenticate against my WebApi over Azure Active Directory. I am still on the default project with the basic ValuesController, just trying to get authentication and authorization to work.

I've followed this video to setup postman, and as far as I can tell, I've configured the new applications in active directory as described.

The token exchange is working. And the Authorization Bearer {token} is being sent correctly. Here is an example token:

{Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyIsImtpZCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyJ9.eyJhdWQiOiJodHRwczovL2J1Y2tldHMub25taWNyb3NvZnQuY29tL2J1Y2tldHMtcmVzdC1hcGkyMDE2MDkwMzEwNDAzMSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzIwYmI2ZmEwLTU0OTItNDk0My05MjkwLWRiMWJkMTU3YjFkMS8iLCJpYXQiOjE0NzM5MTg3MDAsIm5iZiI6MTQ3MzkxODcwMCwiZXhwIjoxNDczOTIyNjAwLCJhY3IiOiIxIiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjlkZWVmMWFlLWU0MmYtNDg4ZC04MmY3LWUwMWRjYzNkMzE5NyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiSWppZGFraW5ybyIsImdpdmVuX25hbWUiOiJBeW8iLCJpcGFkZHIiOiI3MC4xNzMuNDAuMjIiLCJuYW1lIjoiQWRtaW4iLCJvaWQiOiJmMTljY2Q5ZC1iMDZhLTQ0MGUtYmE3Ni05NWRjNGE4NDY3ZjEiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJMMHkzeUVwRGdRMHV2MG0wZWNKcFFIeVpZNHkzYTk3UUpnNGl6WlpzZmNVIiwidGlkIjoiMjBiYjZmYTAtNTQ5Mi00OTQzLTkyOTAtZGIxYmQxNTdiMWQxIiwidW5pcXVlX25hbWUiOiJhZG1pbkBidWNrZXRzLm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6ImFkbWluQGJ1Y2tldHMub25taWNyb3NvZnQuY29tIiwidmVyIjoiMS4wIn0.NXpvslBXOpRNkmWQqj7XqVzloS3KoeSqPIlo-yUPGYkZ4bHPrAH6yD4sxMYz-19VIPFRDUMP-5h5hmaMKmuykjNUltz6wejQT9f4IeV6i7VtP3BlkfASZeAdKAiSjKh6ydV8PuJjV2HHh2WvxIKC3QQXzROwWAdeXLcgMTiKSBMULzFV8BsecgtI86_L2OISgbQZ2LgF137EPJoG7C4L1IO-10T1QIVl-Emy6AS0VKVxdzjCgiT-DFtccxME6n1CruoDy6mTKztcAkiFR1IlgY6Fvj-Y_goMQyxA5sCRebWnOQ5jeUKv4KNyNWOLJU_RiZYe0kj4IT3KDc9jjtHykg}

However, even though I get the token successfully and when I step through the debugger in VS, I see the token coming in, Authorization is failing. I get the following response:

{"Message":"Authorization has been denied for this request."}

The issue seems to be on the server side. When I override IsAuthorized to return true, it works.

In Azure, both applications are in the same directory with delegate permissions on.

Are there any logs I can check to see the exact denial reason? From there I can probably figure out what is going on.

I've turned on tracing, with:

// Web API configuration and services
var traceWriter = config.EnableSystemDiagnosticsTracing();
traceWriter.IsVerbose = true;
traceWriter.MinimumLevel = TraceLevel.Debug;

But it's not really telling me why I get the denial.

Answer 1

So it looks like the Azure AD Directory was somehow corrupted. I think maybe something went wrong with an original concept app that I created. For whatever reason, I cannot delete that app in the Azure portal, and thus can't delete the directory itself.

However, creating a brand new directory, unfortunately, seemed to fix it. I followed all of the same directions.

The only difference, is I added the following to the Web.config: <add key="owin:AppStartup" value="buckets_api.Startup"/>. Whereas, last time I added: <add key="owin:AutomaticAppStartup" value="false"/> to address an api startup issue I encountered with the new template. However, I don't believe that is what resolved the issue.

On a side note, I also noted that Chrome was unable to complete the token exchange in the popup browser without me re-launching the app as admin. I'm not sure if that was also related, as I was getting tokens before, so I don't think so. But I want to document what worked for me in its entirety, in case someone else encounters this in the future.