Why WebApi protected with Azure Active Directory returns “unatuthorized”?

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

Assuming you have implemented the WebApi and protected it by using AAD (Azure Active Directory) you might get following error in the client:

“Unauthorized”

This is not very descriptive error message and it can be cause by many things. Such an example can be found here.
This error is re-thrown on the client, but it originates from server. Better to say it originates from the AAD-Owin Authentication stack. To find out the issue enable “Break when exception in thrown” of the WebApi project and hope that you will get more specific error message.

image

In my case problem was very trivial, but it costed lot of time to find it out.

 

The client requires a resourceId (audience).

<add key="TodoListResourceId" value=https://mytenant.onmicrosoft.com/BusinessMonitorService />


This value originates from the Portal (AAD/Applications/YourWebApi-app) as

APP ID Uri: https://mytenant.onmicrosoft.com/BusinessMonitorService


But, the same value must also be configured in the service web.config:

<add key="ida:Audience" value=https://mytenant.onmicrosoft.com/BusinessMonitorService/ />

All three values must be same. Notice in my case I have a slash ‘/’ at the end of ‘ida:Audience’ value.
Note that the service does not check this value on start-up.


Posted Jul 24 2014, 11:57 AM by Damir Dobric
developers.de is a .Net Community Blog powered by daenet GmbH.