Access Token Conflict while Integrating with Microsoft Graph #1672 | Support Center | ABP Commercial

mervintan created 2 years ago

ABP Framework version: v4.2.2
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): Yes
Exception message and stack trace:
Steps to reproduce the issue:"

We are currently developing a solution to integrate with Microsoft Graph API. We have challenges on retrieving the Azure AD Token.

We have configured the Azure AD OpenIdConnect as mentioned in the ABP documentation - https://docs.abp.io/en/abp/2.8/How-To/Azure-Active-Directory-Authentication-MVC#2-alternative-approach-addopenidconnect. We are able to login using Azure AD OpenId but we are stuck on the part to retrieve the Azure AD access token.

We are able to retrieve the token through the controller method with Authorize Attribute by defining the AuthenticationSchemes. However the token retrieve through this method will replace the bearer token for application and results in the current user to be logged off.

Please advise.

4 Answer(s)

0

alper created 2 years ago
Support Team Director

see https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#get-an-access-token-from-azure-ad
0

riz1992 created 2 years ago

We had tried implementing the provided solution, but we are getting activator chain error when trying to call the controller.

Additionally, is there any way for us to retrieve the token at the Pages or AppServices? Given that the ABP MVC solution is design for the request to be access through Pages instead of Controller.
0

riz1992 created 2 years ago

Hi,

Is there a solution for this issue?

gterdem created 2 years ago

Support Team Senior .NET Developer

Getting access-token from azure-ad is related with Microsoft and completely out of our scope.

However i will try to help you;

I willl use client credential flow using ConfidentialClientApplicationBuilder of Microsoft.Identity.Client package.

Create a Page something like: <br>

public class AzurePage : PageModel
{
    IConfidentialClientApplication app;
    private const string clientId = "my-client-id-in-appsettings";
    private const string tenantId = "my-tenant-id-in-appsettings";
    private const string clientSecret = "my-client-secret-in-appsettings";

    public string azureAccessToken = string.Empty;

    public AzurePage()
    {
        string authority = $"https://login.microsoftonline.com/{tenantId}/v2.0/";

        app = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithAuthority(new Uri(authority))
            .Build();
    }

    public async Task<IActionResult> OnGet()
    {
        string[] scopes = new string[] {  "https://graph.microsoft.com/.default" };

        AuthenticationResult result = null;
        try
        {
            result = await app.AcquireTokenForClient(scopes)
                .ExecuteAsync();
            azureAccessToken = result.AccessToken;
        }
        catch(MsalServiceException ex)
        {
            // AADSTS70011
            // Invalid scope. The scope has to be of the form "https://resourceurl/.default"
            // Mitigation: this is a dev issue. Change the scope to be as expected
        }

        return Page();
    }

Result:

and Jwt.io:

Use IConfidentialClientApplication wherever you need.

Have an answer to this question? Log in and write your answer.