Forward user token from ASP.NET Core to Azure Mobile App
We have following registered Azure Active Directory Applications
- Xamarin App
- Web API
- Web App
and three Applications
- Xamarin App
- ASP.NET Core Web App
- ASP.NET MVC 5 Web API (still the old world, because MobileAppController is not supported in ASP.NET Core)
What works: the user can authenticate inside the Xamarin App and can call the Web API. Every thing works here. The user is also able to login into the Web App (uses OpenID Middleware with Azure Active Directory endpoint and redirect), but the call from the Web App to the Web API fails: unauthorized.
What or how do we pass the credentials or tokens from the authenicated user in the ASP.NET Web App? We cannot find any working sample.
Do we have to configure any trusts between the AAD registered applications? At this point of time, the Xamarin App and the Web App have a trust to the Web API. Not vise versa.
We think just one person at Microsoft really (or tried to) documented Azure Mobile App but he is no Microsoft employee anymore.
Do we have to configure any trusts between the AAD registered applications?
We need to grant the the web API app to the web app as figure below. Normally, when we call the web API with the token, it will verify the claims and signature in the token. So for the unauthorized issue, please check the claims by decoding it from this site. You should ensure the aud claim matched the audience configed in the web API project etc.
If it doesn't match you should acquire the web API token using the App Id URI as the resource.
If you still have the problem, please show the code how you acquiring the token and protecting the web API.
In addition, here are two links about calling protecting web API with Azure AD:
active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore