Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue

Question

Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue

Karduan 1

Hi,
I have had been struggling to make my Azure Active Directory Oauth 2.0 Client Credentials Flow work with API Management. but I get authenticated via postman too. But in return I do not get any access token just a bunch of HTML. How can I fix this? The settings of the applications are exactly as per the documents including the validation of JWT Policy.

Please see this image.

Basically I want my client apps to connect with my azure API's using Oauth 2.o without any consent using provided client id/secret. I'm trying to set this up for now with ECHO API provided out of the box with API Management console.

thanks

Karduan 1 Reputation point

2021-08-19T15:28:28.153+00:00

I figured that the problem is the with the scope. As soon as I replace the my app's scope with https://graph.microsoft.com/.default . Everything seems to be working fine. Why Can't I use the scopes I'm defining to get authenticated. with my Custom Scope I get errors

Error: AADSTS500011: The resource principal named api://<id>/app_permissions_allow was not found in the tenant named <ad-id>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong.

This only happens when I use my scopes.

2 answers

Your answer

Karduan 1 Reputation point

2021-08-19T15:28:28.153+00:00

I figured that the problem is the with the scope. As soon as I replace the my app's scope with https://graph.microsoft.com/.default . Everything seems to be working fine. Why Can't I use the scopes I'm defining to get authenticated. with my Custom Scope I get errors

Error: AADSTS500011: The resource principal named api://<id>/app_permissions_allow was not found in the tenant named <ad-id>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong.

This only happens when I use my scopes.

Answer 1

Dear @sikumars-msft,
Thanks for your kind reply. I had kept struggling and found the way out to make it work. To my surprise, the API management API's with Azure Ad Oauth 2.0 Client Credentials flow worked only with version 1 of the AD not too. Below are the two URL's I used with all older values and scopes and it started working.

OAuth 2.0 token endpoint (v1)
https://login.microsoftonline.com/<my-tenant-id>/oauth2/token

OAuth 2.0 authorization endpoint (v1)
https://login.microsoftonline.com/<my-tenant-id>/oauth2/authorize

I saw videos where version two with the same was working for all but not for me. Can this be due to my Free Azure Account with Developer Access?

But for now, I have another issue poped Up here. I'm now unable to use the validate-jwt policy. This does not work and is always returning

401, Unauthorized. Access token is missing or invalid.

Here are both of my policies version one and two

Version 1

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration" />
    <audiences>
        <audience>{Backend-App-ID}</audience>
    </audiences>
    <required-claims>
        <claim name="id" match="all">
            <value>insert claim here</value>
        </claim>
    </required-claims>
</validate-jwt>

Version 2

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>{Backend-App-ID}</value>
                </claim>
            </required-claims>
        </validate-jwt>

Kindly guide me on this. How can I add policies or fix make version 2 useable? I read on Stackoverflow that Azure AD V2 is not compatible with API Management. But the answer was of 2019.

Thanks,

Answer 2

Thanks for reaching out.

To use application permissions with your own API (as opposed to Microsoft Graph), you must first expose the API by defining scopes in the API's app registration in the Azure portal. Then, configure access to the API by selecting those permissions in your client application's app registration. If you haven't exposed any scopes in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.

For an example, if I sent scope parameter with custom name like https://testwebapp.in/.default without configuring same as application ID URI in Azure AD then is an expected behavior and you get error AADSTS500011.

scope parameter in the request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#application-permissions

Hope this helps

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue

2 answers

Your answer