I have deployed an API App
to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.
When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory
), then
1) service call returned 401 Unauthorized
(without redirecting to AAD login page)
2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..."
(and "no additional information available")
I was implementing AAD according to this Azure manual (using express settings):
Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...
Any suggestions?
EDIT
1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)
EDIT 2
I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token
, but when I try to query the service, I get an error message:
AADSTS65005: The client application has requested access to resource 'https....azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: 4176e...
Correlation ID: 1d612d...
Timestamp: 2016-11-13 18:28:34Z
These are the steps I've done to get this far:
0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project
1) registered my client app in Azure Active Directory
2) when calling REST API from client application, I am adding ServiceClientCredentials
3) when creating ServiceClientCredentials I provide 4 elements
-authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/
)
-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)
-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url
How can I specify this resource in my client app?
client has not specified this resource in its requiredResourceAccess list
I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.
These are the steps I did:
1) In App services -> Authentication/authorization
2) In Azure Active Directory -> App registrations
requiredResourceAccess
section you must add information about REST API App:resourceAppId
-> insert REST API App id hereresourceAccess {id}
-> OauthPermission id value of REST API (you can get it in REST API's manifest!)3) In your client application
Autorest
(from solution explorer:Add\REST API client
) or create it manuallyMicrosoft.IdentityModel.Clients.ActiveDirectory
nuget packget and use token to access your API with code similar to this: