Configure AzureAD for Auth Code grant to generate token from SwaggerUI

asked 2022-06-21T13:59:59.167+00:00
Pinkesh Dashrathbhai Patel 26 Reputation points

I am trying to add Authorization Code support on SwaggerUI to generate token from AzureAD for my client app.

I have below setup on Azure,

  • API App
  • Swagger Client App

API App has scopes exposed (delegated permissions) and same is added/granted to Swagger Client App.

Swagger client app has configured with Swagger Redirect Uri in Web.

213474-image.png

While trying to generate the token from SwaggerUI, getting below error.

Note-1: I am able to generate the token from Postman for the same client. In case of postman, added Redirect URI under Web. For swagger, tried both Web and SPA but getting different error in both cases.

Note-2: If I use Swagger redirect URI under SPA and if I don't pass secret then able to authenticate but I want users to pass secret while accessing endpoint from swagger.

Is it limitation with Azure Ad?

Trace ID: 34db8191-6a86-4d23-a3a5-172e2d149200 Correlation ID: 516346a1-52d4-4c54-8332-f9634937730d Timestamp: 2022-06-21 13:57:06Z

213453-image.png

Below is my code snippet from .Net Core App for auth code grant flow.

Program.cs

builder.Services
.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerGenOptions>()
.AddSwaggerGen();

var app = builder.Build();

app.UseSwagger();  
app.UseSwaggerUI(setup =>  
{  
    setup.SwaggerEndpoint($"/swagger/v1/swagger.json", "Version 1.0");  
    setup.OAuthClientId("<<Client Id>>");  
    setup.OAuthClientSecret("<<Client Secret>>");  
    setup.OAuthAppName("MyAPI");  
    setup.OAuthScopeSeparator(" ");  
});  

ConfigureSwaggerGenOptions.cs

public class ConfigureSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
{

public void Configure(SwaggerGenOptions options)  
{  

    options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme  
    {  

        Type = SecuritySchemeType.OAuth2,  

        Flows = new OpenApiOAuthFlows  
        {  
            AuthorizationCode = new OpenApiOAuthFlow  
            {  
                AuthorizationUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/authorize"),  
                TokenUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/token"),  
                Scopes = new Dictionary<string, string>  
                {  
                    { "api://<<HostAPI_Id>>/.default" , "All Scopes" }  
                },  
            }  
        }  
    });  

    options.AddSecurityRequirement(new OpenApiSecurityRequirement()  
    {  
        {  
            new OpenApiSecurityScheme {  
                Reference = new OpenApiReference {  
                        Type = ReferenceType.SecurityScheme,  
                            Id = "oauth2"  
                    },  
                    Scheme = "oauth2",  
                    Name = "oauth2",  
                    In = ParameterLocation.Header  
            },  
            new List < string > ()  
        }  
    });  
}  

}

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,552 questions
Azure Active Directory External Identities
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-21T22:16:54.363+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    Hello @Pinkesh Dashrathbhai Patel , the AADSTS501481 error is cause the /token post_verifier param value not matching the /authorize code_challenge param value.

    This is not an Azure AD limitation but an error coming from the calling client. Immediate recommendation is to do a fiddler trace to see what the values are being generated and ensuring none of them is not being cached.

    Azure AD App Registration Redirect URL must follow the actual application type: SPA or Web App.

    In case it is a Web App and as a temporary workaround you might enable Authorization Grant without PKCE. Configuration should be similar to this:

       components:  
         schemas: {}  
         securitySchemes:  
           accessCode:  
             type: oauth2  
             flows:  
               authorizationCode:  
                 authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'  
                 tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token'  
                 scopes:  
                   'api://<READ SCOPE RESOURCE ID>/read': allows reading resources  
    

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.