Daemon Apps and Scopes

Question

So, I am trying to do see if I can support a scenario where a C# daemon app can access a custom Web API protected with MSAL.NET and OAuth2 scopes. As of now, I see no way of doing this.

The versions of the libraries and toolsets are:

.NET Core 2.2 Microsoft.Identity.Client 4.1.0

The client is

var app = ConfidentialClientApplicationBuilder.Create("<client app id>")
                .WithClientSecret("<client_secret>")
                .WithAuthority("https://login.microsoftonline.com/<tenant_id_that_hosts_the_web_api>")
                .Build();

and then to acquire token

await app.AcquireTokenForClient(new string[] { "api://<app_id_of_the_web_api>/.default" });

At this point, I do get the token back with which I call my custom Web API end point protected using MSAL and an Azure App with the above mentioned App ID. This doesn't work since I have a policy based authorization on the end point, expecting a specific custom scope defined in the Azure AD app.

The question is, how do I configure the client and Azure AD so I will get the specific scopes passed in as claims for the Web API?

Answer 1

You need to register two applications, one for daemon app(client app), one for web api(backend app).

Click the web api app->Expose an API.

Click the daemon app->API permissions->Add a permission->My APIs->choose web api app->select the permissions.

Then the client

var app = ConfidentialClientApplicationBuilder.Create("<client app id>")
                .WithClientSecret("<client app client_secret>")
                .WithAuthority("https://login.microsoftonline.com/<tenant_id>")
                .Build();

The scope:

await app.AcquireTokenForClient(new string[] { "api://<app_id_of_the_web_api>/read" });

Refer to this sample. You can think of your web api as Microsoft Graph API.