Retrieve token for Core API and scope/audience understanding

Keith Viking 20 Reputation points
2023-05-11T15:42:37+00:00

Hi

I have created an App Registration on Azure, following this i created a Client Secret, App Role and Scope setting permission under API Authorisation.

The purpose here is to have a WebApi core using .Net 6 so i can exchange data securely.

In order to get the token I send a request to

https://login.microsoftonline.com/tenat_id/oauth2/v2.0/token

with

grant_type : client_credentials
client_id : myAppClientId
client_secret : myClientValue
scope : https://domain.onmicrosoft.com/ClientId/.default

This works and i retrieve a JSON token which i can decode at jwt.io

I now have the below code in .Net 6 WebCore API

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddEndpointsApiExplorer();

var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    //app.UseSwagger();
    //app.UseSwaggerUI();
}
else
{
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

appSettings.json

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "myAppClientId",
    "ClientSecret": "ClientValue",
    "Domain": "myTenantId",
    "TenantId": "myTenantId",
    "Audience": "https://domain.onmicrosoft.com/myAppClientId"
  }

My Controller is decorated with [Authorize] at the top, if i call https://localhost/weatherforecast i need to make a new request passing in the Token from above and retrieve the data with bearer.

  1. What would be the correct process to retrieve a token from my WebAPI? Do i create a new controller with full access and a new method to call the same service in this method (sending a request to https://login.microsoftonline.com/tenat_id/oauth2/v2.0/token) and passing in the values supplied? If so what values should i be providing end consumers for using this service as some would be sensitive to our Azure account?
  2. I dont fully understand the difference between scope and audience (you will notice in my code the JSON uses Audience but when i sent the request to get the token i passed in Scope?
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,212 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,315 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,682 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 57,166 Reputation points
    2023-05-11T17:47:10.28+00:00

    the audience is which services the token is valid for. in your case this identities the token is valid for your webapi.

    the scope is the app permission granted to the token. for example the graph api has scopes like "User.Read" and "Mail.Send". you can define custom scopes for you app. in your case you have the default scope defined for your web app api.

    you can define multiple scopes, and define which scope are available to each user (clientid as you are using secrets rather than users)

    as you registered azure ad as the authentication service. the caller would use any oauth client sdk and needs the app settings.

    you would probably create a unique clientid and secret for each caller.