I have gone ahead and followed the tutorial to which you referred: Call an Azure API app from a web app client authenticated by Azure Active Directory
- Create an Azure API Api that returns contact data
- Deploy the API App to Azure App Service.
- Secure the API App using Azure Active Directory.
Then I was able to retrieve the token, and as you can see from the following demo, my code is no different than your code, except that it using a later version of the using Microsoft.IdentityModel.Clients.ActiveDirectory
libraries that use Async
.
Get access token from AAD
class Program
{
static void Main(string[] args)
{
var authContext = new AuthenticationContext(Constants.AUTHORITY);
var credential =
new ClientCredential(Constants.CLIENT_ID, Constants.CLIENT_SECRET);
var result = (AuthenticationResult)authContext
.AcquireTokenAsync(Constants.API_ID_URL, credential)
.Result;
var token = result.AccessToken;
Console.WriteLine(token.ToString());
Console.ReadLine();
}
}
Constants
AUTHORITY
. The first segment of this is https://login.microsoftonline.com. The final segment is an allowed tenant. We set the allowed tenant at portal.azure.com, going to the Gateway for our application, and choosing Settings > Identity > Azure Active Directory > Allowed Tenants. My tenant is bigfontoutlook.onmicrosoft.com.
CLIENT_ID
. We retrieve this client id from the application that we added to Azure Active Directory. Find this at manage.windowsazure.com > Active Directory > Your Directory > APPLICATIONS > Your Application > CONFIGURE. Once we have retrieved it, we must add it to our Gateway's Azure Active Directory settings in the Client ID field.
CLIENT_SECRET
. We create/retrieve this in the same location that we retrieve our client id.
API_ID_URL
. We retrieve this within the Gateway blade for our Web API App by choosing Settings > Identity > Azure Active Directory > App URL.
Here are the ones that work for me.
class Constants
{
public const string AUTHORITY =
"https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/";
public const string CLIENT_ID =
"0d7dce06-c3e3-441f-89a7-f828e210ff6d";
public const string CLIENT_SECRET =
"AtRMr+Rijrgod4b9Q34i/UILldyJ2VO6n2jswkcVNDs=";
public const string API_ID_URL =
"https://mvp201514929cfaaf694.azurewebsites.net/login/aad";
}
Final decoded JWT
This is what the decoded JWT access token contains.
{
typ: "JWT",
alg: "RS256",
x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
aud: "https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad",
iss: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
iat: 1442346927,
nbf: 1442346927,
exp: 1442350827,
ver: "1.0",
tid: "0252f597-5d7e-4722-bafa-0b26f37dc14f",
oid: "5a6f33eb-b622-4996-8a6a-600dce355389",
sub: "5a6f33eb-b622-4996-8a6a-600dce355389",
idp: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
appid: "0d7dce06-c3e3-441f-89a7-f828e210ff6d",
appidacr: "1"
}.
Note: It's a throwaway app in a throwaway active directory account with a throwaway resource group, so showing my security credentials is a non-issue.
Diagram just to be sure :)