question

GonzaloARRIBASGORGOLAS-0592 avatar image
0 Votes"
GonzaloARRIBASGORGOLAS-0592 asked GonzaloARRIBASGORGOLAS-0592 answered

Problem when i call a GET REQUEST with an AZURE Token, InvalidAuthenticationTokenAudience

I have a .NET desktop application where I login with my Microsoft account (username and email). When I do that, I obtain an access token. Then, I want to display in the CONSOLE the list of subscriptions I have activated in that account. I am using a GET REQUEST, which is the only thing I have found in the documentation of Azure SDK for .NET developers.


 class Program
 {

     public static string clientId = "XXXXXXXXXXXXXXXXXXXXXX";
     public static string tenantId = "XXXXXXXXXXXXXXXXXXXXXX";

     public static IPublicClientApplication PublicClientApp;

     static void Main(string[] args)
     {

         GetATokenForGraph().GetAwaiter().GetResult();

     }

     static async Task GetATokenForGraph()
     {
         var options = new PublicClientApplicationOptions();
         options.ClientId = clientId;
         options.AzureCloudInstance = AzureCloudInstance.AzurePublic;
         options.TenantId = tenantId;

         PublicClientApp = PublicClientApplicationBuilder.CreateWithApplicationOptions(options)
                 .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
                 .Build();

         var _scopes = new string[] { $"api://{clientId}/access_as_user" }.AsEnumerable();
         var authResult = await PublicClientApp.AcquireTokenInteractive(_scopes)
                                     .ExecuteAsync();

         Console.WriteLine("Username: " + authResult.Account.Username);
         Console.WriteLine("Environment: " + authResult.Account.Environment);
         Console.WriteLine("Scope: " + authResult.Scopes.FirstOrDefault());
         var httpClient = new HttpClient();

         httpClient.DefaultRequestHeaders.Authorization = AuthenticationHeaderValue.Parse(authResult.CreateAuthorizationHeader());
            
         const string environmentsUri = "https://management.azure.com/subscriptions?api-version=2020-01-01";

         var response = httpClient.GetAsync(environmentsUri).Result;

         var content = response.Content.ReadAsStringAsync().Result;
         Console.WriteLine("\nContent HTTP request:\n");
         Console.WriteLine(content);
     }

 }

XXXXXXXXXXXXXXXXXX is my clientID.
However, when I execute the code and I print the content, I get this error:

         {"error":{"code":"InvalidAuthenticationTokenAudience","message":"The access token has been obtained for wrong audience or resource 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'."}}

I did all the steps to register my application as in https://docs.microsoft.com/es-es/azure/active-directory/develop/scenario-protected-web-api-app-registration

dotnet-csharpazure-active-directorymicrosoft-authenticatorazure-monitorazure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

Hi @GonzaloARRIBASGORGOLAS-0592 · Thank you for reaching out.

Looking at your code, you are making below call, for the resource https://management.azure.com.

 GET https://management.azure.com/subscriptions?api-version=2020-01-01

However, the token that you acquired is with the scope api://{clientId}/access_as_user, due to which you are getting InvalidAuthenticationTokenAudience error.

To resolve the issue, you need to perform below steps:

  1. Navigate to Azure Active Directory > App Registrations > click on your app > API Permissions > +Add a permission > click on Azure Service Management > Delegated permissions > select checkbox for user_impersonation permission > Grant Admin consent.
    116932-image.png

  2. In your code, instead of using "api://{clientId}/access_as_user", use https://management.azure.com/user_impersonation scope.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (28.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GonzaloARRIBASGORGOLAS-0592 avatar image
0 Votes"
GonzaloARRIBASGORGOLAS-0592 answered

Finally, it worked!
Thank you so much! :D

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.