Authentication fails when API method is protected by RequiredScope("...")

Sam Wheat 406 Reputation points
2024-06-16T19:49:51.7366667+00:00

When I call a method protected with RequiredScope on my api I get Response = 403, Forbidden. Removing RequiredScope results in 200. The app calling the api does have the correct permission granted.

Protected API method:

[Authorize(AuthenticationSchemes = "AzureAdB2C")]
[HttpGet]
[Route("SecureIdentity")]
[RequiredScope("access_as_user")]
public ActionResult
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,645 questions
Microsoft Entra
{count} votes

Accepted answer
  1. Raja Pothuraju 7,990 Reputation points Microsoft Vendor
    2024-06-18T17:06:45.4233333+00:00

    Hello @Sam Wheat,

    Thank you for posting your query on Microsoft Q&A.

    From my understanding, you are receiving a 403 Forbidden error when calling a method protected with RequiredScope on your API, despite confirming that the app calling the API has the correct permissions granted. To help resolve this issue, please verify the following steps:

    1. Ensure that the access token you are using to call the API contains the required scope. You can check this by decoding the access token and looking for the "scp" claim. The value of this claim should include the required scope.
    2. If the access token does not contain the required scope, check the Entra AD app registration for your app and ensure that the required scope is included in the app's API permissions.
    3. If the access token does contain the required scope, check your API code to ensure that the RequiredScope attribute is correctly configured. Confirm that the scope name matches the name of the scope in the access token.
    4. Verify that the RequiredScope attribute is correctly configured and that the Entra AD app registration for your API includes the required scope in the app's exposed scopes.
    5. If the above steps do not resolve the issue, please provide more details about your API and app registration configurations, as well as any error messages or logs you are seeing in the Entra Sign-in log report.

    Reference Document: Verify scopes and app roles protected web API - Microsoft identity platform

    Access token claims reference - Microsoft identity platform

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,

    Raja Pothuraju.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Sam Wheat 406 Reputation points
    2024-07-01T14:53:07.7033333+00:00

    I updated the nuget packages.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.