How do you debug an API calling another API using your Visual Studio account ?

Question

I have an API in ASP.NET Core "ExposingAPI" with a corresponding App Registration in Azure AD that exposes an API with an app role named "AppAndDev" that can be assigned to apps and users.

I have another API in ASP.NET Core "ConsumingAPI" whose manged identity has been assigned the "AppAndDev" app role of the "ExposingAPI". "ConsumingAPI" retrieves tokens from AzureAD and sends http requests to "ExposingAPI". It works fine on Azure where "ConsumingAPI" and "ExposingAPI" are deployed in App Services.

What I want is to be able to debug locally the "ConsumingAPI" that is to say to be able to query "ExposingApi" from the "ConsumingAPI" code running in Visual Studio on my machine:

• as I am on my machine, it can't work with the Managed Identity of "ConsumingAPI".
• I want the code to be exactly the same when running on Azure in "ConsumingAPI" App Service
• I could create an app registration, assign it "AppAndDev" app role and using its client credentials locally but I do not want to use secrets
• what I would need to do is to use to query "ExposingAPI" the identity of my azure ad account logged in Visual Studio that I would have assigned the "AppAndDev" app role

To do that I used the following code :

var credentials = new DefaultAzureCredential(new DefaultAzureCredentialOptions());
        var token = await credentials.GetTokenAsync(new TokenRequestContext(new string[] { "xxxxxxxx-xxxx-xxxx-xxxx/.default" }, tenantId: "xxxx-xxxx-xxxx-xxx"));
        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
        var route = $"{_configuration.GetValue<string>("ApiUrl")}/weatherforecast/";
        var response = await httpClient.GetAsync(route);

This code is using DefaultAzureCredential from Azure.Identity that is also used in Azure SDKs to be able to use the same code to interact with azure resources when the code is running in Azure (with managed identity for instance) and locally (with visual studio for instance). In that case it works fine in Azure, but locally I get the following error:

DefaultAzureCredential failed to retrieve a token from the included credentials.

• EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
• ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
• Process "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\Extensions\rahssdlq.j5o\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS65001: The user or administrator has not consented to use the application with ID '872cd9fa-d31f-45e0-9eab-6e460a02d1f1' named 'Visual Studio'. Send an interactive authorization request for this user and resource.
  Trace ID: 05acf58c-9819-4595-a057-dbfb4f9bae00
  Correlation ID: 14271132-fa1e-4e03-9996-1e3fd933798d
  Timestamp: 2021-08-24 08:21:51Z'.
• VisualStudioCodeCredential authentication unavailable. Token acquisition failed. Ensure that you have authenticated in VSCode Azure Account.
• Please run 'az login' to set up account

The problem seems to come from this "The user or administrator has not consented to use the application with ID '872cd9fa-d31f-45e0-9eab-6e460a02d1f1' named 'Visual Studio'. " but I do not understand what it means and what I have to do to make it work.