I have a legacy/on-prem API that I need to be protected by OAuth to Azure Active Directory.
The API is counsumed by trusted applications that can obtain JWT using client credentials as follows:
var context = new AuthenticationContext("https://login.microsoftonline.com/<tenant-id>");
var credentials = new ClientCredential(clientId, clientSecret);
var result = await context.AcquireTokenAsync(resourceIdentifier, credentials);
Using the AcquireTokenAsync(String, ClientCredential) overload, which requires a resource identifier and client credentials.
What is the resource identifier that I should use?
Assume my legacy/on-prem API that I want protected is hosted at https://test.qwerty.com.au/api/v2/resource
The hosting address does not matter. It excepts one of two things:
The first one you can get from the Overview of the app registration for the API, the second from the Expose an API tab.
So it wants an identifier for the API.
As an additional note, make sure you register at least 1 application permission to the API as well, and grant it to your client apps. This will prevent an attack on your API. https://joonasw.net/view/always-check-token-permissions-in-aad-protected-api