Understanding Microsoft Azure AD On-Behalf-Of (OBO) flow

Question

FE ->(token_a) Middleman ->(token_b) DownstreamServiceA

My understanding is that, for the Middleman to make API calls to DownstreamServiceA, it needs to exchange for token_b using token_a. I tried to simulate this behaviour in postman. But I am unable to exchange for token_b using token_a. I get the following error

AADSTS65001: The user or administrator has not consented to use the application with ID '{my-middleman-clientid}'

On the Azure Portal, I have configured the FE API permission to have access the exposed API scope of DownstreamServiceA & Middleman. Granted admin consent on behalf of my organisation users at that too.

Getting token_a

POST to https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type:password
client_secret: foobar
client_id: my-fe-clientid
username: awesome
password: bar
scope: api://{MiddlemanId}/Middleman.All

Exchange for token_b

POST to https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: my-middleman-clientid
client_secret: foobar
scope: api://{DownstreamServiceAId}/ServiceA.all
assertion: {token_a}
requested_token_use: on_behalf_of

May I know what am I doing wrong? My understanding is that my FE needs to request and grant permission for the DownStreamServiceA scope upfront, which I did with an admin grant on the Azure Portal.

Answer 1

It seems you have granted FE access to Middleman, and you've granted FE access to DownstreamServiceA, but you may not have granted Middleman access to DownstreamServiceA.

There are a few ways you can do this, as described in Granting consent for the middle-tier application:

• In Middlemanm, declare FE as a "known client application" (knownClientApplications in the manifest/Application object) and trigger "combined" consent by requesting for scope=openid api://{MiddlemanId}/.default at FE. The consent prompt will include all the permissions both FE and Middleman require, and the grants recorded will be correctly set for FE to Middleman and Middleman to DownstreamServiceA, as needed.
• In DownstreamServiceA, declare Middleman as a "preauthorized" application (App registrations > Expose an API > Authorized client applications). The consent prompt for FE will not include any of the Middleman to DownstreamServiceA permissions, which will be considered already granted.
• At Middleman, manually grant consent for the required permissions. This is sometimes the simplest approach, if you are an admin of the tenant. (E.g. App registrations > API permissions > Grant admin consent)