Microsoft Graph Login not showing the Permission Requested
Good morning guys,
I'm implementing a Microsoft Authentication, that part goes good, the problem is when I get the user access_token, that token does not contain the requested permissions I chose in the Azure App. In the image below you can see the Permission I'm requesting in the Azure App.
In the next image you can see the permissions I'm obtaining with the login.
This is the code to request the access_token in my Startup.cs file.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureAd", options);
options.Events.OnTokenValidated = async context =>
{
var accessToken = context.SecurityToken as JwtSecurityToken;
if (accessToken != null)
{
var claimsIdentity = context.Principal.Identity as ClaimsIdentity;
if (claimsIdentity != null)
{
claimsIdentity.AddClaim(new Claim("access_token", accessToken.RawData));
}
}
};
})
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
services.AddMvc(option =>
{
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
option.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
}
and this in the code in my appsettings.json
"AzureAD": {
"Instance": "https://login.microsoftonline.com",
"TenantID": "common",
"ClientID": "916xxxxxx-xx-3f7",
"ClientSecret": "xxxx",
"CallbackUrl": "./signin-oidc",
"SigoutcallbackUrl": "./signout-oidc"
}
I also decoded my token and the permissions I'm requesting in the Azure App (image 1) are not in the token I get.
What I'm missing?
The token you get from OnTokenValidated is the ID token but not the access token, that's why you can't get the permissions you requested. In the mean time, when we need to generate an access token which containing required scopes(the permissions you added in AAD), we need to define the scopes when obtaining the token. You can take a look at the common flows in Azure AD, all of them require "scope" parameter.
When we need to obtain access token in asp.net core mvc app, we could integrate related libraries. We could have codes below.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
builder.Configuration.Bind("AzureAd", options);
}).EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user.read", "Calendars.ReadWrite" })
.AddInMemoryTokenCaches();
Then in the controller which having Authorize attribute, we could inject ITokenAcquisition and use it to generate access token.
private readonly ITokenAcquisition _tokenAcquisition;
public HomeController(ITokenAcquisition tokenAcquisition)
{
_tokenAcquisition = tokenAcquisition;
}
public async Task<IActionResult> IndexAsync()
{
var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "User.Read" });
return View();
}
Without sign in ahead would get error below, if we sign in successfully, this service would generate access token for us.
- MVC Core - What is the difference between UseIIS and UseIISIntegration
- ASP.NET Core MVC
- Access Web.config settings in Asp.Net Core App?
- Always add existing route parameter in Url.Action
- How could I use DbContext in repository for implementing dependency inversion principle in ASP.NET Core 8.0 MVC
- ASP.NET Core 8 OpenID Connect - SUB claim missing on User.Identity
- Server-Side Paging MVC 6.0
- User.Identity.IsAuthenticated always false in .net core custom authentication
- Routing with Areas and Controller Name (asp.net core)
- Asp Core, How to create Paging?
- asp.net vnext Tag helpers select option not working
- ASP.NET Core 8 MVC - view model validations
- Difference between BadRequestResult and BadRequestObjectResult
- ASP.NET Core - error 404.15 after adding authorization services
- EF .NET 6 Data Annotations with database-first: cannot make annotations work
- Add ScriptBundle in Cassette won't work with ReactJS.NET
- can I send a list of objects including images using FormData object from view to the controller by ajax call?
- User not Signed in after SignInManager.PasswordSignInAsync method Call
- .NET Core MVC Page Not Refreshing After Changes
- How to refresh jquery datatable without database call
- Multipart body length limit exceeded exception
- how do i return the json object of my ajax GET request to an API in Asp.net MVC
- Cookie LoginPath not redirecting to path
- Passing credentials in ASPNET & OTP Authentication
- Adding collection of items in Many to Many Relationship in ASP.NET Core MVC Problem (Code first)
- How to trigger error message when client-side validation on modal create in ASP.NET Core MVC
- Row transferring is not working between jQuery datatables that uses ajax call
- How do I access the variable of one method from another method within the same class in ASP.NET Core?
- Redirect Microsoft Identity Platform Access Denied in ASP.NET Core
- Issue in inserting data in database using string query