I have developed a locally working version of daemon app to protected API code example. The controllers in the API are protected by the app role MyAppReadAll.
If I enable user sign-in in the service principal of the API, I can call the locally running .NET 8.0 API from the locally running daemon ASP.Net Core console app, and get the expected result. I must have done something right in the setup, since the token that the API receives has the correct claims, including the app role.
After local testing I published the API to an App Service, including to an API in our API Manager (APIM). When trying to reach the API I get two different responses
In the Availability and Performance tab of the App Service, I can see that both those errors are returned by the FrontEnd load balancer in the App Service. I assume this means that the request never reach the web worker.
I have set up an OAuth server in APIM, which sends a token with the wrong aud claim, so the 401 is expected. Regarding the 403 using the local daemon app I do not have any clues. Can anyone offer some insight into this problem?
The network of the API App Service is public, with no access restriction.
The reason for getting the 403 error when calling the API from a local console app, was that the App Service had Authentication enabled (EasyAuth). We had enabled EasyAuth by routine, without understanding the implications when combined with the introduction of the Identity platform. I got the clue from this GitHub issue comment
Disabling EasyAuth solved the problem.
NB! For fixing the last 401 hurdle in APIM I had to remove api:// part of audience definition in JWT-validate policy for token to be authorized. Using 2.0 endpoint.