On-Behalf-Of token needs to contain UPN, when using Asp.Net MVC as front end

Question

I'm lost here. After the user signs into my UI, I have to call a third-party API whose owner is telling me that the UPN must be in the token (so I guess that rules out using a client-ID-plus-client secret to call his API).

With an SPA such as Angular, if we need to call such an API, MSAL.js would just acquire a second token containing the needed scope/audience, and call that API from the javascript code.

But this is an Asp.Net MVC application. The user signs in and, as far as I know, MVC middleware generates a cookie. So I really have a cookie, it seems to me, not a token. Is there a standard way to get the actual token? But even if I got it, the audience is already set to the ClientID used for sign-in. How then would I generate a token where the audience is the third-party API AND this token must contain the user's UPN?

Answer 1

Hi @JAL ,

Thanks for reaching out and updating us on your queries.

I understand that you are trying to call API from your SPA client application.

Could you please confirm why you are using On behalf of flow in this scenario. On behalf of flow is required when an API receives the access token from the client application, and which needs to get an access token for a downstream WebAPI.

In this scenario you can use authorization code flow to get the access token for your API.

Also, your understanding is correct here as your users are in different organizations, you need to register your application as multi-tenant application.

For the user from another tenant to access your application, your application's service principal needs to be present in that tenant.

Suppose your application is registered in tenant A and users from tenant B want to access the application. Then

Now make sure to login with the user of tenant B using common endpoint as:

 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client-id of Tenant A }&response_type=code&redirect_uri={redirect URI registered in Tenant A API}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 which will ask for user's consent. 

Once consent has been provided, the service principal gets registered in Tenant B to access the application registered in Tenant A.

If you are calling middle tire web API to call downstream web API, then the user must grant the middle tier permission to do so in the form of consent. Because the middle tier has no interactive UI of its own, you need to explicitly bind the client app registration in Azure AD with the registration for the web API.

You can do so by adding the "Client ID" of the client app, to the manifest of the web API in the knownClientApplications property.

Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#multiple-tiers-in-a-single-tenant

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.

Answer 2

@Shweta

"I understand that you are trying to call API from your SPA client application."

No, it's an MVC app.

"In this scenario you can use authorization code flow to get the access token for your API."

I take it you mean PKCE flow? Even if I could use the flow here, I think it just gets the user signed in to my UI application (audience will be my clientID), right? I'm confused how PKCE explains - without recourse to On Behalf Of flow - how to get a second token whose audience is the downstream API. That API, to be clear, is also insisting the 2nd token contain the user's UPN, and my clientID.

"Once consent has been provided, the service principal gets registered in Tenant B to access the application registered in Tenant A."

Thanks for the info. I always assume an admin has to consent but seems I'm wrong.

Thanks for the link to the article. Very informative.

Anyway I eventually managed to acquire the token using the On-behalf-Of code in the Stack Overflow article. The downstream API also had to add my ClientID as an Authorized Client on his Expose An API blade.

Your answer didn't solve all my problems but was helpful enough. Thanks.