Menu
So I read that if you add .default at the end of a resource URI in a scope it would return us a a proper v1 token. When setting the protectedResourceMap for MSAL what exactly should the scope be? 'https://management.azure.com/.default' doesn't seem to work. Nor does 'https://management.azure.com/user_impersonation'.
What is the proper way to setup the scope so when requesting consent to our app they approve the Azure management APIs?
220
Use two slashes like this:
https://management.core.windows.net//.default
"This is because the ARM API expects a slash in its audience claim (aud), and then there is a slash to separate the API name from the scope."
Source: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal
Here's a complete example:
void Main()
{
var tenantId = "<tenantId>";
var clientId = "<clientId>";
var clientSecret = "<clientSecret>";
var credentials = GetCredentials(tenantId, clientId, clientSecret);
Console.WriteLine(credentials);
}
public static async Task<AuthenticationResult> GetCredentials(string tenantId, string clientId, string clientSecret)
{
string authority = $"https://login.microsoftonline.com/{tenantId}/";
IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret)
.WithAuthority(new Uri(authority))
.Build();
IEnumerable<string> scopes = new List<string>() { "https://management.core.windows.net//.default" };
var result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
return result;
}
Screenshot of the AuthenticationResult object in LINQPad:
Sample code from here: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
