I have a .NET CORE 6 Api for the back end and a Angular 13 for the front end. Currently I am trying to authenticate via Angular using msal
and then call the protected .net core API. I think I am missing something. The Api is the weatherforcast
Api template. It successfully authenticates via AAD, which allows me to get user information. However when I try to request data via api by invoking the http.get
method its not Authorizing. How does the protected API get authorization from the front end? Both Apps are registered in Azure Active directory. From my understanding the HTTP_INTERCEPTORS
should intercept the access token and authorization for the api should be granted. The ProfileComponent
has MsalGuard
.
app.module.ts
import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
import { NgModule } from '@angular/core';
import { BrowserModule } from '@angular/platform-browser';
import { Configuration } from 'msal';
import { AppComponent } from './app.component';
import { AppRoutingModule } from './app-routing.module';
import { BrowserCacheLocation, InteractionType, IPublicClientApplication, LogLevel, PublicClientApplication } from '@azure/msal-browser';
import { MsalGuard, MsalInterceptor, MsalBroadcastService, MsalInterceptorConfiguration, MsalModule, MsalService, MSAL_GUARD_CONFIG, MSAL_INSTANCE, MSAL_INTERCEPTOR_CONFIG, MsalGuardConfiguration, MsalRedirectComponent } from '@azure/msal-angular';
import { ProfileComponent } from './profile/profile.component';
import { environment } from '../environments/environment';
import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
import { MatFormFieldModule } from '@angular/material/form-field'
import { MatCheckboxModule } from '@angular/material/checkbox'
import { MatInputModule } from '@angular/material/input'
import { MatButtonModule } from '@angular/material/button'
import { MatDividerModule } from '@angular/material/divider'
const isIE = window.navigator.userAgent.indexOf("MSIE ") > -1 || window.navigator.userAgent.indexOf("Trident/") > -1;
export function loggerCallback(logLevel: LogLevel, message: string) {
console.log(message);
}
export function MSALInstanceFactory(): IPublicClientApplication {
return new PublicClientApplication({
auth: {
clientId: environment.clientId,
authority: environment.authority,
redirectUri: environment.redirectUrl,
postLogoutRedirectUri: environment.redirectUrl,
navigateToLoginRequestUrl: true
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage,
storeAuthStateInCookie: isIE, // set to true for IE 11
},
system: {
loggerOptions: {
loggerCallback,
logLevel: LogLevel.Info,
piiLoggingEnabled: false
}
}
});
}
export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
const protectedResourceMap = new Map<string, Array<string>>();
protectedResourceMap.set('api://{uri id}', ['name.read']);
return {
interactionType: InteractionType.Redirect,
protectedResourceMap
};
}
export function MSALGuardConfigFactory(): MsalGuardConfiguration {
return { interactionType: InteractionType.Redirect };
}
@NgModule({
declarations: [
AppComponent,
ProfileComponent
],
imports: [
BrowserModule,
HttpClientModule,
AppRoutingModule,
MsalModule,
BrowserAnimationsModule,
MatCheckboxModule,
MatInputModule,
MatButtonModule,
MatFormFieldModule,
MatDividerModule
],
providers: [
{
provide: HTTP_INTERCEPTORS,
useClass: MsalInterceptor,
multi: true
},
{
provide: MSAL_INSTANCE,
useFactory: MSALInstanceFactory
},
{
provide: MSAL_GUARD_CONFIG,
useFactory: MSALGuardConfigFactory
},
{
provide: MSAL_INTERCEPTOR_CONFIG,
useFactory: MSALInterceptorConfigFactory
},
MsalService,
MsalGuard,
MsalBroadcastService
],
bootstrap: [AppComponent, MsalRedirectComponent]
})
export class AppModule { }
profile.component.ts
import { Component, OnInit } from '@angular/core';
import { MsalService } from '@azure/msal-angular';
import { ApiService } from '../services/api.service';
@Component({
selector: 'app-profile',
templateUrl: './profile.component.html',
styleUrls: ['./profile.component.css']
})
export class ProfileComponent implements OnInit {
forecasts: any;
name: any;
username: any;
constructor(private _apiService: ApiService, private _msalService: MsalService) { }
ngOnInit(): void {
const account = this._msalService.instance.getAllAccounts()[0];
this.name = account?.name;
this.username = account?.username;
this._apiService.getForcast().subscribe(result => {
this.forecasts = result;
}, error => console.error(error));
}
}
appsettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "example.com",
"TenantId": "{TenantId}",
"ClientId": "{ClientId}",
"Scopes": "name.write name.read",
"CallbackPath": "/signin-oidc",
"Audience": "api://{uri id}"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
You might want to check your protected resource map. You currently have "api://{uri id}". Try placing the actual API url here just to test it out. Something similar to... "http://localhost:1448/api/weatherforecasts", or whatever the endpoint would be. When you make the call, look to see if the authorization header is in the request.