Unauthorized access to API despite getting Access Token and Scope

Umais Nisar 0 Reputation points
2024-09-20T07:35:32.8866667+00:00

Hi,

Token Response:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiI4MzcyMTQwYy02MTI4LTRiZjctOGQ2OC00YmIyOWI0OGE5N2EiLCJpc3MiOiJodHRwczovL3NjaG9vbGNvbm5lY3RiMmMuYjJjbG9naW4uY29tLzlhOWY3MjgyLWM4MWUtNGY0ZC1hZDU4LTFmMjlmZjI2YWZhNy92Mi4wLyIsImV4cCI6MTcyNjgyMTAwNCwibmJmIjoxNzI2ODE3NDA0LCJzdWIiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEiLCJuYW1lIjoiVW1haXMgTmlzYXIiLCJ0ZnAiOiJCMkNfMV9TaWduX0luX1VwIiwibm9uY2UiOiIwN2MwYWY2Ny04ZWQyLTQwOGYtYjYxMC1kYmZhNzg3Njg1YTEiLCJzY3AiOiJBUEkuUmVhZFdyaXRlIiwiYXpwIjoiODM3MjE0MGMtNjEyOC00YmY3LThkNjgtNGJiMjliNDhhOTdhIiwidmVyIjoiMS4wIiwiaWF0IjoxNzI2ODE3NDA0fQ.CuKkMAEAf-uxDcITB0ujvoFeUuYtQ8qYeHmBvLeWMb2FD3hEvw1zXdzAPtuIkTOcmD5MhtLtAf9jtnPIbSB_r7Ya2JbcGt_Q45stmi3f-3iNeTRk9zVsIsO-jrGJMWBDV2bfT2mO7FNrBtgy0e-vOZkP4Hs0LyLfeWiCaylK11oJNAUa1bgrF5Wm9Sm0ESa7VeiTiofZ5B92nGVal-8H8EH-WFnipE-Dqi1feFm-o6GNVcbXWD8VkoTnkx9H7CzU_DG1D5uTuP0NZ0qQm1BuaAFM_RNPhgA-Q1NkI2I9VwLXM-JKw1ty9QsTWSY-VUPwyhRD4mFsjkygl9_UyvAgGg",
    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjE3MjY4MjEwMDQsIm5iZiI6MTcyNjgxNzQwNCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9zY2hvb2xjb25uZWN0YjJjLmIyY2xvZ2luLmNvbS85YTlmNzI4Mi1jODFlLTRmNGQtYWQ1OC0xZjI5ZmYyNmFmYTcvdjIuMC8iLCJzdWIiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEiLCJhdWQiOiI4MzcyMTQwYy02MTI4LTRiZjctOGQ2OC00YmIyOWI0OGE5N2EiLCJub25jZSI6IjA3YzBhZjY3LThlZDItNDA4Zi1iNjEwLWRiZmE3ODc2ODVhMSIsImlhdCI6MTcyNjgxNzQwNCwiYXV0aF90aW1lIjoxNzI2ODE3NDAwLCJuYW1lIjoiVW1haXMgTmlzYXIiLCJ0ZnAiOiJCMkNfMV9TaWduX0luX1VwIiwiYXRfaGFzaCI6Ik5xa3FFNnFQMXlnNDU2M2hwYTZFYXcifQ.szGUSuInW3cLJjub1Ya8KSyPZNrRT09xd6Tli472SKkrZW5D2B-x8Cbp_KlgaRIFbD8pWkRO2b_Sq0GCFBvBbo5kAWaeQXrvLE07Gw6vFemEVRBOFtp_yXWsjR0q6yxIIMv1Bi3Vr0Z8jwLTzZbde1NmYRQmNLAWXXkFvnQ8FIqRx52FqJHpv6An6fqySvKBPalvUIMYskA_0ZeCTc9qACCQzPY9x0sdPhTX4aP1HJn58shKS8t7r5_EBPaxPHsPfaruOgm8VUC12tzc6jRfi1NWTNA0tJ4znEyhHSiWqAbj61emjZXKpB25MpaSVg6ZW9NOvOa1k8hGMU1eGKDfyA",
    "token_type": "Bearer",
    "not_before": 1726817404,
    "expires_in": 3600,
    "expires_on": 1726821004,
    "resource": "8372140c-6128-4bf7-8d68-4bb29b48a97a",
    "client_info": "eyJ1aWQiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEtYjJjXzFfc2lnbl9pbl91cCIsInV0aWQiOiI5YTlmNzI4Mi1jODFlLTRmNGQtYWQ1OC0xZjI5ZmYyNmFmYTcifQ",
    "scope": "https://schoolconnectb2c.onmicrosoft.com/8372140c-6128-4bf7-8d68-4bb29b48a97a/API.ReadWrite",
    "refresh_token": "eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..lRPIdIPYV-fzAWPg.UKjBOKSaNLTzLeR5SFVmPRo_VFwEGjS0SF7D2oxG5YURFAsCd-kWh9_2BQQTOAfFoY4xYt2oVRKB78xF8bb9el35qBWtaspSJuf9DNu4D2qOjsdoqu8pWgcTghig6VmbGBuLBrNnUwvRYrxxa2XKZhCbWDoMiuzcC4GCNhXSIsbDuVejszFFcf0xtcNtMLdWx4o3rYpzdqgIOBKtA-zg7NwXxfAskWpzNQwpriBYl763REZmFuclzW_pv8y8cvF-j10KCb04mNwNSgnYeXh_Ih2o2A3_8jIA6ztHmpMNwiYFkoaFwKueAjmWbamMQNiKy8NNyf_R2TQLjXiC0kG0pmNqFmgx44wTrrkoS9AU_yUZ6t48jNSUFt-UJ2bBM_EUwghc3stSVAwFCgYvuCgoJmhCZUEUbHN9GIDBkmwgdsjsVPM7lsYZ_Fhh51yOC7fQiBwJyEKf3BF4EIDlygwi6BRiBKuW0Q7SQDQnUAwsqoQwg2-eJU3Y6IkYBNOTzXq25ruemjLvLMAYYEhXcfIEzD92-sXeqPdbRoXutC0bhRLDKKLG21h_8ULHVi1FriPhj0hU3ke-Wb3_rdJKcNoJu7lUxnG9scQ4XF_vRHtKsi5JH24bWieNAQbTNuMGCgWHvfaokxM94IJWfmHKsNYqfzpB-g-Ut03Vo2iSiGyVGWQ.z8P3G47q7NlbbXJ9qkhtvw",
    "refresh_token_expires_in": 86400
}

After this it is neither going inside this IF statement that says if user is authenticated then go in:

public class CustomIdentityMiddleware(RequestDelegate next)
{
    private readonly RequestDelegate _next = next;
    public async Task InvokeAsync(HttpContext http, UserService userService)
    {
        //if (http.User.Identity?.IsAuthenticated == true)
        if (http.User.Identity.IsAuthenticated)
        {
            var objectId = http.User?.Claims?.SingleOrDefault(o => o.Type == ClaimTypes.NameIdentifier)?.Value;
            if (objectId != null)
            {

And it is also not able to make any API request:

Request URL:
https://localhost:5161/api/user/get-all-users
Request Method:
GET
Status Code:
401 Unauthorized
Remote Address:
[::1]:5161
Referrer Policy:
strict-origin-when-cross-origin

Blazor WASM frontend, .NET backend. Any help would be highly appreciated because i am out of ideas.

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,578 questions
Azure Advisor
Azure Advisor
An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.
63 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,717 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Umais Nisar 0 Reputation points
    2024-09-20T19:36:46.3733333+00:00

    I found the solution after 2 days working on this, even tirelessly at night. Even so called "AI GPT" couldn't help with this and kept on going in circles... giving me wrong solution at times, at your face NVIDIA CEO and other CEO who think we are replaceable lmao.

    I will give the moral first and the moral of story is: Follow the documentation to the T, don't be a dummy like me.

    What i was doing wrong was creating one single app and creating application URI inside of it. I set it public too in authentication. Somehow that was messing things up.

    Solution:

    1. Create Server app first, make scope inside of it.
    2. Create Client app separately afterwards, go to app permissions and add the Server API scope from there. Grand it consent as well.
    3. Put Client ID of Server App inside Server project appsettings.json and vice versa same case for Client project... put client id of Client App there.

    Just follow the documentation to the T, the link i provided, it has everything, even this stuff.

    Thanks for your help Tiny.

    P.S: GPT is just a data scrapper that uses NLP, not even remotely intelligent to produce new stuff.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.