We have a couple of ASPNET Core Web APIs that are accessed by both AzureAd and AzureB2C accounts. API1 is currently called by an ASPNET Core Site using Azure Ad user token.
API2 is called by that same ASPNET Web Site and by API1. When API1 is called by the WebSite or API2 is called by API1 I get the token by calling GetAccessTokenForUserAsync
and passing a scope like “https://ourdomain.co.uk/appid/access”.
I am now introducing AzureFunc1 that needs to call API1 and that call to API1 will result in API1 calling API2. AzureFunc1 is a daemon app that is triggered by a Timer configuration. In AzureFunc1 I get a token to call API1 using GetAccessTokenForAppAsync
. This is working, I am passing a scope of https://ourdomian.co.uk/appid/.default and I have exposed an AppRole on API1 that has been granted to AzureFunc1.
The code in API1 needs to call API2 and that is trying to get a token by calling GetAccessTokenForUserAsync
. Unsurprisingly this is not working as no User account is onvolved. I get the error:
AADSTS7000114: Application '9dc73511-1987-4ede-9485-ad45923204ac' is not allowed to make application on-behalf-of calls
- If the call to API1 was made with an App Token should all calls made to API2 from API1, within the same context use a token that was also obtained from GetAccessTokenForAppAsync
- The endpoint of API1 that AzureFunc1 is calling is the same as the one that is normally called in the context of a User. Is that bad practice?
- Is there a way of looking at the HttpContext in API1 and knowing that the calls are on behalf of an App rather than a User? The contents of the ClaimsPrincipal.Claims suggests there is.
- Assuming I can tell in API1 that I am being called in the context of an App rather than a User should I switch to use GetAccessTokenForAppAsync and expose some new AppRoles on API2?