Open elisabetao opened 3 days ago
JonasKs
commented
2 days ago I'm on vacation, so won't be able to reproduce for a while.
Can you check that your aud matches the client ID of your backend (not swagger)?
Your apps should indeed use the api://<backend client ID>/.default-scope, and receive a token with aud set to the <backend client ID>.
elisabetao
commented
2 days ago Hi Jonas,
Enjoy your vacations. Indeed aud /audience matches the backed and client id.
Thanks
JonasKs
commented
2 days ago Then I suspect your settings might be wrong in the backend app?
Can you double check that the client ID in this section is your backend app(same as audience)?
azure_scheme = MultiTenantAzureAuthorizationCodeBearer(
app_client_id=settings.APP_CLIENT_ID, #<-------- this is the audience
scopes={
f'api://{settings.APP_CLIENT_ID}/user_impersonation': 'user_impersonation',
},
validate_iss=False
)Yes, the backend API APP client id matches the APP_CLIENT_ID , the api://
Thank you
JonasKs
commented
2 days ago Not sure to be honest. I'd start over with a mini project and make sure the tutorial is followed to the exact point, no alterations.
elisabetao
commented
9 hours ago hi Jonas,
Have retested with similar results:https://intility.github.io/fastapi-azure-auth/usage-and-faq/calling_your_apis_from_python/#single--and-multi-tenant Not sure how the flow described and further referenced here: https://intility.github.io/fastapi-azure-auth/usage-and-faq/calling_your_apis_from_python/#single--and-multi-tenant which bases itself on delegated permissions would work with work with client_credentials flow. Normally client credentials require app permissions. My understanding is that we cannot use the same token for client_credentials and pkce (for users with delegated permissions) but I do not see any constraint for not using the same backend app.
Describe the question I was able to setup the API interactive flow with PkceWithAuthorizationCodeGrant as listed here:https://intility.github.io/fastapi-azure-auth/single-tenant/fastapi_configuration/ for Single Tenant with SingleTenantAzureAuthorizationCodeBearer. However, when trying to use the code here https://intility.github.io/fastapi-azure-auth/usage-and-faq/calling_your_apis_from_python/#single--and-multi-tenant , while configuring another Azure Service Principal/App (similar to the OpenAPi one) to connect to the backend API I get : "INFO:fastapi_azure_auth:Token contains invalid claims. Invalid audience 2024-07-02T21:48:14.227784883Z INFO: 172.16.11.149:46006 - "GET /test HTTP/1.1" 401 Unauthorized"
In the Calling Your APIs from Python article, mentioned above, it is mentioned that a new Azure application/Service principal identical or similar to the OPENAPI one should work for the client_credentials flow, however checking the doc:https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#application-permissions and https://thecibrax.com/oauth-client-credentials-in-azure-ad-explained-for-web-api-developers , my understanding is that one needs to use application permissions and not delegated permissions when authenticating as an application:"When authenticating as an application (as opposed to with a user), you can't use delegated permissions because there is no user for your app to act on behalf of. You must use application permissions, also known as app roles, that are granted by an admin or by the API's owner."
I have created the app role and granted the app permissions to the new client/openapi application/service principal, however there's an error with teh audience I can't seem to be able to track as on my side the scope is set to the "api://BACKEND_APP_CLIENT_ID/.default", the same one that the other OPENAPI uses successfully for the Swagger. Below is a sample of the token that encounters audience issues.
I have already checked and reviewed a few times : https://github.com/Intility/fastapi-azure-auth/issues/156 and https://github.com/Intility/fastapi-azure-auth/issues/47 and these cases to do not appear to apply.
Would you have other suggestions to track this token audience issues? Thanks a lot
To Reproduce
Stack trace "INFO:fastapi_azure_auth:Token contains invalid claims. Invalid audience 2024-07-02T21:48:14.227784883Z INFO: 172.16.11.149:46006 - "GET /test HTTP/1.1" 401 Unauthorized"
Your configuration