25,081 questions
where can I verify ValidAudiencies ? in the manifest?
Calling a azure web api with bearer token, received 401 unauthorized
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 15%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Ernesto
61
Reputation points
Hi, when I try to call a web api with a scope policy enforced; I receive a 401 unauthorized.
How should I configure web api and the get request?
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
Ernesto 61 Reputation points
2024-05-08T11:46:13.8833333+00:00 var azureScopePolicy = "AuthZPolicy";
builder.Services.AddAuthorization(config =>
{
config.AddPolicy(azureScopePolicy, policyBuilder => policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" }));});
------------------------appsettings.json-------------------------------------------------
"AzureAd": {
"Instance": "https://login.microsoftonline.com/", "TenantId": "d1ee1acd-xxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientId": "47d9e4b5-xxxxxxxxxxxxxxxxxxxxxxxxxx", "Scopes": "Forecast.WriteScope"},
------------------------Controller-------------------------------------------------
[Authorize(Policy = "AuthZPolicy")]
public class Az1TestController : ControllerBase
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2024-05-08T21:48:33.9266667+00:00 Hi @Ernesto, we are looking into this and will get back to you.
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2024-05-08T22:46:47.9866667+00:00 Can you try to decode the token on https://jwt.ms and see if the audience is matching with the uri where the application has requested to post the token?
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2024-05-08T23:01:13.2833333+00:00 It's possible also that you had a permission expire, or that API is requiring authentication that is no longer being provided.
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2024-05-08T23:57:42.96+00:00 Can you also please clarify which API you are calling and what kind of policy you are trying to create? Is it a mapping policy? How are you trying to get the access tokens and what API permissions are you using?
I can see the scope is Forecast.WriteScope and it seems like a lack of permissions and scoping, but we need to understand more about what you are trying to do and the type of permissions you are trying to add.
-
Ernesto 61 Reputation points
2024-05-09T17:43:34.29+00:00 Hi, audience is "aud": "https://management.core.windows.net", I'm calling url https://xxxxxxxxxx.azurewebsites.net/api/WeatherForecast
I use postman to get a token using https://login.microsoftonline.com/d1ee1acd-bc7a-XXXX-XXXX-XXXXXXXXX/oauth2/token with a client secret
I have copied in the message applied policy, it is about scope verification
var azureScopePolicy = "AuthZPolicy";
builder.Services.AddAuthorization(config =>
{
config.AddPolicy(azureScopePolicy, policyBuilder => policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" }));});
-
Ernesto 61 Reputation points
2024-05-09T17:45:12.1166667+00:00 how should I configure app in azure? I have followed learn.microsoft.com recommendation but it didn't work
Sign in to comment
3 answers
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
-
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2024-05-09T00:35:25.92+00:00 Hi @Ernesto ,
To add to the previous comments, it seems Forecast.WriteScope is the current scope or one of the permissions in the token based on what you shared. But based on the error, it sounds like the Forecast.WriteScope permission will not be enough to call the API and you might need more permissions.
To further isolate, we need to understand what you are trying to achieve (which API you are calling, what kind of policy you are trying to create, whether it is a mapping policy, how are you trying to get the access tokens, and what API permissions are you using), and the configuration of how you are calling the API.