So, we have a web API that is working great with Azure AD and bearer token authentication.
In my ConfigureServices I have this:
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Audience = Configuration["Azure:AD:ClientId"];
options.Authority = $"{Configuration["Azure:AD:Instance"]}{Configuration["Azure:AD:TenantId"]}";
});
We have the Client ID setup to be a Web API app in Azure AD.
Now we are making a native application and we need to also have a native app client ID in Azure AD. My API is looking for the Web API client... how do I also allow a bearer token that was created with the native app?
Ok! So... we got this working.
For posterity here is what we ended up doing.
We found this fine link: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation
In step 2 of this, it tells you to change the Web API URI - We ended up not needing to do this...
What was critical thought was to add the permission from the Native app to the Web API (the second set of steps in #2). Basically, as I understand this, it allows the native app and web api app to work together and share a client id when it come to an authentication perspective.
We also found that editing the manifest on the Native app and make "oauth2AllowImplicitFlow" = true was also important.
Hope this helps someone.