Search code examples
azurewebapiscopesazure-authentication

I did the "Expose an API" in Azure but cannot get the token for that scope to a client program

I'm trying to build a WebAPI and want to use a scope to limit permissions for other clients applications. I created a scope "BuildingAccess" on the Expose an API blade, and added the other client application to the authorized list with that scope. However when I use a client program to try and get the token with that scope I get the "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid." error

 IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create("removed")
            .WithTenantId("removed")
            .WithClientSecret(ClientSecret)
            .Build();

        List<string> scopes = new List<string>();
        scopes.Add(".default");
        scopes.Add("https://localhost:44371/BuildingAccess");

        AuthenticationResult result = null;
        try
        {
            result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("Token acquired \n");
            Console.ResetColor();
        }
        catch (MsalServiceException ex)
        when (ex.Message.Contains("AADSTS70011"))
        {
            // Invalid scope. The scope has to be of the form "https://resourceurl/.default"
            // Mitigation: change the scope to be as expected
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("Scope provided is not supported");
            Console.ResetColor();
        }

The only format that seems to work is when the scope is set to https://localhost:44371/.default. All the other combinations below where I add the BuildingAccess scope fail with the error below for the different formats I've tried.

  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess https://localhost:44371/.default is not valid.
  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/.default api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess is not valid.
  • The scope .default BuildingAccess is not valid.
  • The scope BuildingAccess is not valid.
  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
  • The scope https://localhost:44371/BuildingAccess is not valid.

If the one that works the https://localhost:44371/.default, then my server side has an error because it failed with

Exception thrown: 'Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException' in Microsoft.IdentityModel.Tokens.dll

and I get an Unauthorized response on the client.

Solution

  • The issue is I need to have Admin Consent for app to app permissions to work. This is a restricted action on the Azure tenant I'm on so I couldn't do that.