Issue with jwt-bearer on-behalf-of grant in Azure AD
So I have an Angular app that uses the adal-angular library to authenticate with an ASP.NET Core 2.0 Web API. The API then uses on-behalf-of flow to authenticate with another API using the users token like this MS article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-on-behalf-of.
The issue I have is this is working fine in the DEV environment but I have now deployed a TST environment with separate App Registrations and I am receiving the following exception when I try and request the token using on-behalf-of
AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.
The code I am using to request the token
public async Task<string> AcquireTokenAsync(string resource)
{
try
{
string accessToken = await _httpContextAccessor.HttpContext.GetTokenAsync(AuthenticationConstants.AccessToken);
var credentials = new ClientCredential(_azureOptions.ClientId, _azureOptions.ClientSecret);
var authContext = new AuthenticationContext($"{_azureOptions.Instance}{_azureOptions.TenantId}")
{
ExtendedLifeTimeEnabled = true
};
// On-behalf-of auth token request call
var authResult = await authContext.AcquireTokenAsync(
resource,
credentials,
new UserAssertion(accessToken));
return authResult.AccessToken;
}
catch (AdalServiceException asex)
{
_logger.LogError(asex, $"Instance: {_azureOptions.Instance} Tenant: {_azureOptions.TenantId} ClientId: {_azureOptions.ClientId}");
throw;
}
catch (System.Exception ex)
{
_logger.LogError(ex, ex.Message);
throw;
}
}
And I have used Fiddler 
and it looks like all the correct parameters are being passed.
Any help would be very much appreciated. I have set knownClientApplications on the second API and I have granted permissions on the Angular backend API to the second API.
According to your question and the error, it should be caused by that you angular app is not a Native(public) app.
For using this OBO flow with this Grant type, your client must be a public client not credential client.
If you want to register your client as a WebApp/API, you can refer to this Implementation:
Hope this helps!
Update
According to OP's comment, he/she got it working by changing oauth2AllowImplicitFlow from false to true.
- ASP.NET OleDbConnection Problem
- ListView with DataPager not working
- Server side paging with ajax & jQuery
- How to implement paging for asp:DataList in .NET 2.0?
- How to use RouteValues using MvcPaging2.0 in MVC3?
- Dynamically Added LinkButtons Don't Fire OnClick Event
- GraphServiceClient filter issue
- Using DropDown_SelectedIndexChanged to bind gridview, but paging is not working
- Paging results in asp.net
- Retrieve 10 records from MySQL?
- Pageddatasource fails paging With "does not implement ICollection."
- how change the RadDataPager Page# From CodeBehind (server-side)
- Jquery code doesn't work after paging?
- jqGrid Group summary not showing total sum with paging
- Showing image in datalist asp.net
- ASP.NET paging in div
- GridView from CodeBehind in C# Paging not working
- ObjectDataSource paging and extra parameters
- Google Like Paging in asp.net c#
- asp.net subsonic 2.2 paging linked table collection
- Datagrid paging align right
- ASP.net inserted row in Datatable disappearing on page change
- How to remember the selected checkboxes between each paging-press
- How to force Visual Studio to re-create the SSL certificate for a .NET Core Web Application running Kestrel?
- Efficient paging with Repeater, SQL Server and custom Pager
- listview item indexing
- Simple Paging in datalist as in GridView - NOT CUSTOM PAGING
- On page load, navigate to a specific page where a listviewitem belongs using listview and datapager?
- Fill datagrid with paging enabled in asp.net
- How to remove paging text in excel sheet while exporting data from GridView to Excelsheet?