Closed soda92 closed 1 month ago
Hi @soda92 - let's keep this open as a question. The MSAL team is more likely to help on GH issues than on SO questions.
So, if I understand correctly you want to call an Azure Resource Manager API. This API needs to be called by a service principal (denoted by the app + secret) not by a user. OBO is indeed used for user flows (for client calls web api which calls another downstream api).
For service principal authentication, you correctly use the acquire_token_for_client
API. The scope in this case is always the resource\.default
so https://management.azure.com/.default
is correct.
So I think you have an AuthZ problem, because AAD does issue an app token back to you for ARM. However, after authenticating the service principal (denoted by the app + secret), ARM does not seem to populate the response as you expect. Most likely because you need to configure RBAC.
I see that you are getting some help in SO with RBAC and AuthZ. Please post back if a solution is found. Thanks!
It was solved in SO. I will post the answer here later
I granted the Reader
role for the application in the subscription, then it works
Note that the app was not shown by default, we need to enter application name in the search bar
I use the following code:
However, I cannot get desired result:
I can get subsriptions using token captured from browser:
The permissions are already granted.
I tried to add ""https://management.azure.com//user_impersonation" to scope, but it fails with error:
I reads about the "OBO" flow, but my app isn't supposed to need user interactions.
Ask: Does I miss something in the auth flow or permissions?