I have an application, name it "Apple", which is registered with Azure AD, delegating the rights to the Azure Management API application. When requesting this application, it creates an azure resource ex. the storage account automatically, and this works fine.
I have another application which is an MVC application and it is also registered with the same AD tenant. The second application uses the following code to obtain an access token:
var clientCredentials = new ClientCredential(ConfigurationManager.AppSettings["AD_ClientID"], ConfigurationManager.AppSettings["AD_Client_AccessKey"]); var authContext = new AuthenticationContext(string.Format(ConfigurationManager.AppSettings["AD_Tenant_Login_Url"], ConfigurationManager.AppSettings["AD_Tenant_Id"])); var result = authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["AD_Resource"], clientCredentials); if (result == null) { throw new InvalidOperationException("Could not get the token"); } return result.Result;
The result is an access token having different properties. Now the second application retrieves the access token with access to the resource core, which then goes to the Apple application in the authorization header.
Authorization:bearer TokenString
The Apple application has an Authorize attribute added to the controller. The application is configured on Owin with an oauth application with the following code
public void ConfigureAuth(IAppBuilder app) { app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Tenant = ConfigurationManager.AppSettings["ida:Tenant"], TokenValidationParameters = new TokenValidationParameters { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }, }); }
Note that the access token is retrieved from the second application using its own AppId and Secret key; while another (Apple) application uses its own AppId and secret key to verify the token.
So my problem is: APPLE application always returns 401 do not allow code