Configure AzureAD for Auth Code grant to generate token from SwaggerUI

Pinkesh Dashrathbhai Patel 26 Reputation points
2022-06-21T13:59:59.167+00:00

I am trying to add Authorization Code support on SwaggerUI to generate token from AzureAD for my client app.

I have below setup on Azure,

  • API App
  • Swagger Client App

API App has scopes exposed (delegated permissions) and same is added/granted to Swagger Client App.

Swagger client app has configured with Swagger Redirect Uri in Web.

213474-image.png

While trying to generate the token from SwaggerUI, getting below error.

Note-1: I am able to generate the token from Postman for the same client. In case of postman, added Redirect URI under Web. For swagger, tried both Web and SPA but getting different error in both cases.

Note-2: If I use Swagger redirect URI under SPA and if I don't pass secret then able to authenticate but I want users to pass secret while accessing endpoint from swagger.

Is it limitation with Azure Ad?

Trace ID: 34db8191-6a86-4d23-a3a5-172e2d149200 Correlation ID: 516346a1-52d4-4c54-8332-f9634937730d Timestamp: 2022-06-21 13:57:06Z

213453-image.png

Below is my code snippet from .Net Core App for auth code grant flow.

Program.cs

builder.Services
.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerGenOptions>()
.AddSwaggerGen();

var app = builder.Build();

app.UseSwagger();  
app.UseSwaggerUI(setup =>  
{  
    setup.SwaggerEndpoint($"/swagger/v1/swagger.json", "Version 1.0");  
    setup.OAuthClientId("<<Client Id>>");  
    setup.OAuthClientSecret("<<Client Secret>>");  
    setup.OAuthAppName("MyAPI");  
    setup.OAuthScopeSeparator(" ");  
});  

ConfigureSwaggerGenOptions.cs

public class ConfigureSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
{

public void Configure(SwaggerGenOptions options)  
{  

    options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme  
    {  

        Type = SecuritySchemeType.OAuth2,  

        Flows = new OpenApiOAuthFlows  
        {  
            AuthorizationCode = new OpenApiOAuthFlow  
            {  
                AuthorizationUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/authorize"),  
                TokenUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/token"),  
                Scopes = new Dictionary<string, string>  
                {  
                    { "api://<<HostAPI_Id>>/.default" , "All Scopes" }  
                },  
            }  
        }  
    });  

    options.AddSecurityRequirement(new OpenApiSecurityRequirement()  
    {  
        {  
            new OpenApiSecurityScheme {  
                Reference = new OpenApiReference {  
                        Type = ReferenceType.SecurityScheme,  
                            Id = "oauth2"  
                    },  
                    Scheme = "oauth2",  
                    Name = "oauth2",  
                    In = ParameterLocation.Header  
            },  
            new List < string > ()  
        }  
    });  
}  

}

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,382 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-06-21T22:16:54.363+00:00

    Hello @Pinkesh Dashrathbhai Patel , the AADSTS501481 error is cause the /token post_verifier param value not matching the /authorize code_challenge param value.

    This is not an Azure AD limitation but an error coming from the calling client. Immediate recommendation is to do a fiddler trace to see what the values are being generated and ensuring none of them is not being cached.

    Azure AD App Registration Redirect URL must follow the actual application type: SPA or Web App.

    In case it is a Web App and as a temporary workaround you might enable Authorization Grant without PKCE. Configuration should be similar to this:

       components:  
         schemas: {}  
         securitySchemes:  
           accessCode:  
             type: oauth2  
             flows:  
               authorizationCode:  
                 authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'  
                 tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token'  
                 scopes:  
                   'api://<READ SCOPE RESOURCE ID>/read': allows reading resources  
    

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.