I am developing a Web API which will be consumed by a client application. The AD Authentication mechanism i used is "Call a web API with the application's permissions".
The client app calls the web api using application permission and in Web API i am trying to consume Azure Rest API to manage Azure Resources. Azure Rest API's are being consumed on behalf of the user by generating a token using user assertion.
We are running into
"AADSTS50058: A silent sign-in request was sent but no user is signed in issue for on-behalf of user token generation "
when trying to generate an access token.
Does onbehalf of user scenario works when Client app to Web API follows Application Identity with OAuth 2.0 Client Credentials Grant approach and Web API trying to consume Azure REST/ Managment API's on behalf of the client AD App?
ClientCredential clientCredential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientId"], ConfigurationManager.AppSettings["ida:SecretKey"]);
AuthenticationContext authContext = new AuthenticationContext(authority);
var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext;
string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
UserAssertion userAssertion = new UserAssertion(bootstrapContext.ToString(), "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
AuthenticationResult result = await authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["AzureResourceManagerIdentifier"], clientCredential, userAssertion);
// Get subscriptions to which the user has some kind of access
//string requestUrl =https://management.azure.com/subscriptions?api-version=2014-04-01"
string requestUrl = string.Format("{0}/subscriptions?api-version={1}", ConfigurationManager.AppSettings["AzureResourceManagerUrl"], AzureResourceManagerAPIVersion);
// Make the GET request
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = client.SendAsync(request).Result;
if (response.IsSuccessStatusCode)
On Behalf Of gets a token to call another API as the user calling this app.
If your API was called by an app using Client Credentials, then there is no user.
So you cannot use On Behalf Of in this case.