Unable to use bearer token to access AAD-secure Web API

Question

I have an API app secured with Azure AD (AAD). I also have an AAD application for a consuming application, and in the consuming application I have set up permissions to acc

Answer 1

I figured out the issue after figuring out how to turn on detailed logging and pouring through them.

Documentation on MSDN says to pass "resource" as the App ID Uri. But you actually need to pass the Client ID as the value for "resource." Once I changed that, everything worked perfectly.

I found this in a txt file in LogFiles\Application.

2016-07-12T15:48:39  PID[8584] Warning     JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://<removed>.azurewebsites.net'. Did not match:  validationParameters.ValidAudience: '0b61abb8-59...7-6046c22f9c92' or validationParameters.ValidAudiences: 'null'.

Incorrect documentation I was looking at:

https://msdn.microsoft.com/en-us/library/partnercenter/dn974935.aspx https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx (this was the biggest offender as it does exactly what I want to do with incorrect information)

Answer 2

Are you using "UseWindowsAzureActiveDirectoryBearerAuthentication"? In the Web API you should use it, add it in the Startup Config. As following:

app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Audience = ConfigurationManager.AppSettings["ida:Audience"], Tenant = ConfigurationManager.AppSettings["ida:Tenant"], });

Hope this works for you, Regards!