Search code examples
asp.net-coremicrosoft-graph-apiasp.net-identitymicrosoft-graph-sdksmicrosoft-identity-platform

Unable to set scopes with EnableTokenAcquisitionToCallDownstreamApi with AddMicrosoftIdentityWebApiAuthentication

This compiles in startup.cs:

string[] initialScopes = Configuration.GetValue<string>("GraphApi:Scopes")?.Split(' ');

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddMicrosoftGraph();

However, since I'm working on an API controller only, and not a web app, I want to do this instead:

string[] initialScopes = Configuration.GetValue<string>("GraphApi:Scopes")?.Split(' ');

services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddMicrosoftGraph();

However, this does not compile. At least not with Microsoft.Identity.Web v1.0. Intellisense tells me that string[] is not assignable to parameter type ConfidentialClientApplicationOptions.

The difference is that AddMicrosoftIdentityWebApiAuthentication returns a MicrosoftIdentityWebApiAuthenticationBuilder whereas the former returns a `MicrosoftIdentityAppCallsWebApiAuthenticationBuilder.

Is there a work-around here?

What I'm trying to accomplish, is to ensure that the scope is set correctly when the Graph access token is requested. Currently, this does not seem to be the case, as I get an error like this when trying call Graph - e.g. await graphServiceClient.Applications.Request().GetAsync();.

---> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. 
 ---> MSAL.NetCore.4.18.0.0.MsalUiRequiredException: 
    ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was

In other words, what I need is an application access token which looks like this:

[...more json]
{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{tenant id}/",
  "iat": 1602055659,
  "nbf": 1602055659,
  "exp": 1602059559,
  "aio": "[...]",
  "app_displayname": "My app",
  "appid": "{App id guid}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant id}/",
  "idtyp": "app",
  "oid": "{guid}",
  "rh": "[...]",
  "roles": [
    "Application.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Directory.Read.All",
    "Application.Read.All"
  ],
  "sub": "{guid}",
  "tenant_region_scope": "EU",
  "tid": "{tenant id}",
  "uti": "[...]",
  "ver": "1.0",
  "xms_tcdt": 1597308440
}.[Signature]

I can generate the above manually with Postman and if I use it, it works. Confirming that the configuration of the Application is correct in Azure AD.

Solution

  • Apparently, using an application access token is current not yet supported.

    IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user #667