Azure-Samples / active-directory-aspnetcore-webapp-openidconnect-v2

An ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)
MIT License
1.38k stars 994 forks source link

“Authorization failed. AuthenticationScheme: AzureADJwtBearer was challenged” in ASP.NET Core Web API - 401 Unauthorized #327

Closed jokerlovescaptainmarvel closed 4 years ago

jokerlovescaptainmarvel commented 4 years ago

I'm trying to authenticate my web api using Azure AD.

I'm following this tutorial and I successfully authenticated using my Angular App.

The problem is, when I put the Authorize attribute in my controller, it gives me 401 Unauthorized error in my angular console and even my post man.

As I view my web api log, it shows like this:

Screen Shot 2020-03-19 at 10 54 18 PM

Here's my Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    // removed because this doesn't work either
    // services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)           
    //          .AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));

    services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
            .AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));

    services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
    {
                // This is a Microsoft identity platform web API.
        options.Authority += "/v2.0";
    });
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
   if (env.IsDevelopment())
   {
        app.UseDeveloperExceptionPage();
   }

   app.UseRouting();

   app.UseAuthentication();
   app.UseAuthorization();

   app.UseEndpoints(endpoints =>
   {
        endpoints.MapControllers();
   }
}

In my appsettings.json:

"AzureActiveDirectory": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "myorg.onmicrosoft.com",
    "TenantId": "241234-12ad-1234-1234-123412341234", // sample only
    "ClientId": "241234-12ad-1234-1234-123412341234" // sample only
},

Other info: I already saw this thread but it doesn't help fix my issue.

I look forward for someone's help.

dancundy commented 4 years ago

I could be wrong, but this looks more like something for Stack Overflow and not an actual issue with the software itself.

jokerlovescaptainmarvel commented 4 years ago

Just asking for help. Because the samples here are difficult to implement especially if the developer is just getting started :/

odin88 commented 4 years ago

@jokerlovescaptainmarvel have u solved it ? I stuck for weeks .. until I manage to resolve it using services.AddAuthentication( options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })

amalea commented 3 years ago

Hi @jokerlovescaptainmarvel,

Can you please tell me how did you solve your issue?

jmprieur commented 3 years ago

@amalea, for ASP.NET Core web APIs, we recommend you use Microsoft.Identity.Web

dotnet new webapi --auth SingleOrg

See also:

amalea commented 3 years ago

@amalea, for ASP.NET Core web APIs, we recommend you use Microsoft.Identity.Web

dotnet new webapi --auth SingleOrg

See also:

Thank you for your reply! I will try as you have mentioned.

amalea commented 3 years ago

Hello @jmprieur,

I have added services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd"); in the ConfigureServices method, but it seems that it does not read my appsettings.json file, because it throws: Microsoft.Extensions.Options.OptionsValidationException: IDW10106: The 'ClientId' option must be provided.

Do I miss something here?

Previously I had this line: /services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme) .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

I am trying to upgrade from 2.2 to 3.1. Already replaced useMvc with endpointRouting, use authorization(), use authentication() etc.

jmprieur commented 3 years ago

@amalea : see the 3.) of https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#protected-web-apis---startupcs: Just use:

   services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
           .AddMicrosoftIdentityWebApi(Configuration);

when migrating from .NET Core 2.2 to .NET Core 3.1, you probably want to compare 2 new applications. To create a new web app for .NET Core 3.1, use: dotnet new webapi2 --auth SingleOrg