This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi.
We have a dotnet Aspnet WebAPI based API using .Net Framework 4.7.2 which we access using a ReactJs client Application.
We want to authenticate users logged in as an Azure AD user against our API.
Our question is as follows:
In the API we are using Auth 2.0 in the following manner (in startup):
private static void ConfigureAuth(IAppBuilder app)
{
var clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var serviceScope = ConfigurationManager.AppSettings["ida:ServiceScope"];
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(
new TokenValidationParameters
{
ValidAudiences = new[] { clientId, serviceScope },
// Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
// Note that this is a simplification for the quickstart here. You should validate the issuer. For details,
// see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
ValidateIssuer = false,
},
new OpenIdConnectSecurityKeyProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")
),
});
}
In appsettings in the API we have the following:
<appSettings file="MyAppSettings.config">
<add key="ida:ClientId" value="<the client app id>" />
<add key="ida:ServiceScope" value="https://....onmicrosoft.com/Login/" />
In our react JS App whe have the following
import * as msal from '@azure/msal-browser';
const msalConfig = {
auth: {
clientId: '<the client app id>',
authority: 'https://login.microsoftonline.com/common',
},
We are able to log on to azure successfully and aquire a token
We then use this token as a bearer token to call an endpoint in our API using the NPM package @azure/msal-browser'
Our endpoint has the [Authenticate] attribute set.
await APIClient.saveAccessTokenInMemory({
access_token: tokenResponse.accessToken,
expires: tokenResponse.expiresOn,
});
var config = await this.getConfig(tokenResponse);
const response = await APIClient.getAD(<our API Endpoint>, config);
We get a 401 in return
Any clues to solve this issue would be greatly appreciated.
At the moment our best guess is that we have not set up the API and the Client correctly in Azure AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 65%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Your code seems correct but for some reason the API does not seem to like the bearer token it seems. can you try to check if your API is registered properly in the AAD instance as mentioned here. https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis ?
I followed this recipy.
In the api app registration in expose an api, I allowed admins and users to consent to the scope(s)
In the client app registration in API permissions, I added these (scopes) as delegated permissions.
The heading: Admin Consent Required read: No
It seems to me that multitenant usage is impossible using reactjs and the msal browser against Active Directory.