Azure Developer Portal Delegation Signin Implementation Issue

Question

Hi,

I am using the developer portal and I want to delegate the sign-in process from other applications. I have this code for sign in but it is giving an unauthorized error. I have taken this from the sample and now trying to log in to the developer portal with this.

I have checked Azure API documentation it's the same API still "users/" + User.Identity.GetName() + "/token?" return unauthorize

I have tried multiple tokens i have a delegation token Now what should I change for authorization of that API

         //create user in APIM as well
                        using (var client = new HttpClient())
                        {
                            client.BaseAddress = new Uri(ApimRestHost);
                            client.DefaultRequestHeaders.Add("Authorization", ApimRestAuthHeader());

                            var ApimUser = new
                            {
                                keyType = "primary",
                                expiry = ApimRestExpiry
                            };

                            var ApimUserJson = JsonSerializer.Serialize(ApimUser);

                            HttpResponseMessage response = await client.PostAsync("users/" + User.Identity.GetName() + "/token?api-version=2023-03-01-preview", this.GetContent(ApimUserJson));
                            if (response.IsSuccessStatusCode)
                            {
                                //We got an SSO token - redirect
                                HttpContent receiveStream = response.Content;
                                var SsoUrlJson = await receiveStream.ReadAsStringAsync();
                                var su = JsonSerializer.Deserialize<SsoUrl>(SsoUrlJson);

                                //We need to encode the primary key before passing it to the sso url.
                                string url = string.Format("{0}/signin-sso?token={1}", developerPortalUrl, HttpUtility.UrlEncode(su.value));
                                return Redirect(url);
                            }
                            else
                            {
                                @ViewBag.Message = "APIM REST Connection Error: " + response.StatusCode;
                                return View();
                            }
                        }

// token for headers
public string ApimRestAuthHeader()
        {
            using (var encoder = new HMACSHA512(Encoding.UTF8.GetBytes(ApimRestPK)))
            {
                var dataToSign = ApimRestId + "\n" + ApimRestExpiry.ToString("O", CultureInfo.InvariantCulture);
                var hash = encoder.ComputeHash(Encoding.UTF8.GetBytes(dataToSign));
                var signature = Convert.ToBase64String(hash);
                var encodedToken = string.Format("SharedAccessSignature uid={0}&ex={1:o}&sn={2}", ApimRestId, ApimRestExpiry, signature);
                return encodedToken;
            }
        }

Answer 1

Hi Koshal Garg Thanks for reaching out. From the description I understand that you were trying to call the below rest Api to get the shared access key for a user and it fails with 401 unauthorized error https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/user/get-shared-access-token?tabs=HTTP please correct me here if am wrong.

I see you have created shared access signature token and passing that token as an authorization header for the rest api call. SAS token can only be used for direct management API calls and you cannot use it for API calls to ARM (Azure resource manager) you must use bearer token for authorization.

Reference: https://learn.microsoft.com/en-us/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-authentication

let me know incase of further queries, I would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.