This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Hi Team,
With Identity Server4 to Azure AD migration we are facing below issues,
We have 2 APIs (ex. WebAPI A and WebAPI B) and both are secured with Scopes based authorization with setup of IndentityServer4. We are migrating to AzureAD from IdentityServer4.
With IdentityServer4, we were able to generate the token with scopes in both Client Credential as well as Authorization Code grant.
Our APIs are exposed to different consumers (Ex. Consumer A and Consumer B), Consumer A consumes APIs (WebAPI A and WebAPI B) with Auth Code grant type generated token and Consumer B uses Client Credential flow. With existing system, both of APIs configured to authorize based on scopes. With Azure AD, we observed is scp claims are available in token only if generated using Authorization Code grant type.
After successful authorization at API A, we internally consume API B for some data. With existing system we had Client Credential flow there to authorize the API call. As mentioned earlier, scp claims are not available in Azure AD, Client Credential grant type token.
How to authorize same set of APIs with Client Credential flow with scp based authorization?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Pinkesh Dashrathbhai Patel ,
Thanks for reaching out.
I understand that you are trying to authorize your APIs using client credentials flow, but not able to get scp claims in the Azure AD access token.
Client credentials grant flow is not currently directly supported by the Azure AD B2C, You can set up client credentials flow using Azure AD and the Microsoft identity platform endpoint for an application in your Azure AD B2C tenant because an Azure AD B2C tenant shares some functionality with Azure AD.
Azure AD Authorization code flow allows to authenticate using user's delegated identity (Delegated Permissions) and returned permissions as scp claims in the token. However ,client credential Flow in Azure AD get tokens using application's identity(Application Permissions) as there is no user interaction in this flow and return permissions as roles claim in the access token.
To add scopes as application permissions, you need to create the appRole to the API, and then grant that role as an application permission to the client application to access the application permissions.
To set the application permission, you need to assign app role to the application.
There might be chance you are not able to see App roles in the B2C blade as client credential is not supported in B2C.
To add App roles in your Web API , you can update the value of app roles in manifest as:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Access as application",
"displayName": "access_as_application",
"id": "c0999c9d-bf5f-4202-8b1c-f660baf4f78b",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
Also, you need to expose the Web API protected by Azure as:
Azure portal>App registrations>Expose an API> set the application id URI
Next, in the client application>API permissions>Add a permission>My APIs>your api application>and grant admin consent to that permission.
Now get the access token with client credential flow using token endpoint to call Web API.
You can decode the access token using jwt.ms to see application permissions in roles claim.
Hope this will help. If you have any doubt on this, please let us know.
Thanks,
Shweta
-------------------------------
Please remember to "Accept Answer" if answer helped you.
@Shweta Mathur Thanks for your answer.
Though I was aware about roles claims can be assigned to app and can be retrieved from token in Client Credential grant type. My question is how to support same end point for authorization with different grant types.
Ex. If WebAPI A is being called with Client Credential Flow as well as Auth Code Flow then how to achieve authorization in this case as we will not have scope in Client Credential flow.
Please help on the same.
@ PinkeshDashrathbhaiPatel-9050,
Apologies for misunderstood the scenario. Delegated permissions appear in access token's scp claim as one string with space delimited while Application permissions appears in access token's roles claim as any array.
You need to transform values in scp to array to read each value if there are multiple permissions. Now you have separate claims, and you can check similarly for both the permissions to implement an authorization requirement as:
{
if (
` // Caller has valid delegated permission
else if (
{
// Caller has valid app permission
}
}
Hope this will help. If you have any other query on this, please let us know.
Thanks,
Shweta
Thanks Shweta, that's how I decided to move further. Check for scp claims in token, if it is not there then check for roles.
@ PinkeshDashrathbhaiPatel-9050,
Thanks for the update.
Please "Accept the answer" so anyone is looking for same in community will be able to get help.
Thanks,
Shweta