POSTMAN: “You do not have permission to view this directory or page” with Bearer Token

Question

I\'ve got a website hosted on HostGator, let\'s say it\'s domain is https://example.com.

I also have an application hosted on Azure, with Active Direc

Answer 1

Remove the trailing slash from Allowed Token Audiences, e.g.:

https://example.com
http://example.com

..or was is the other way around.. hmm..

401 Unauthorized when everything looks right is usually a trailing slash in the audience. Sometimes you need one, sometimes you don't. It should match whatever you or your middleware define as valid audience in the app code. You can also use the app GUID (Application ID) as audience.

Also, you seem to have graph.windows.net as resource, is that intentional? You should really open that token and check the contents. The audience must match your API's URL.

This to me doesn't feel like the right way to authenticate machine2machine calls. You should probably just use TLS mutual authentication or simply send a hard coded secret over HTTPS in a header (yes, just like a Bearer token, but without the trust chain). On the API side, store it in App Settings and pick it up in your code from the associated environment variable. Use the same App Settings mechanism in the calling app code.

You could rotate this secret using a Function App that changes the App Setting every X days (PowerShell Function Apps have the Resource Management cmdlets available so you could use an SPN to login (Add-AzureRmAccount) and then call Set-AzureRmWebApp -AppSettings [...]).

Alternatively, you can store the secret in Azure Key Vault, and while a great service it borders on overengineering for your use case.