How to consume Azure REST API App with Azure Active Directory authorization On

Question

I have deployed an API App to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.

When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory), then

1) service call returned 401 Unauthorized (without redirecting to AAD login page)

2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..." (and "no additional information available")

I was implementing AAD according to this Azure manual (using express settings):

https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...

https://azure.microsoft.com/en-us/documentation/videos/connect-2015-what-s-new-in-app-service-api-apps/

Any suggestions?

EDIT

1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)

EDIT 2

I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token, but when I try to query the service, I get an error message:

AADSTS65005: The client application has requested access to resource 'https....azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list. Trace ID: 4176e... Correlation ID: 1d612d... Timestamp: 2016-11-13 18:28:34Z

These are the steps I've done to get this far:

0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project

1) registered my client app in Azure Active Directory

2) when calling REST API from client application, I am adding ServiceClientCredentials

3) when creating ServiceClientCredentials I provide 4 elements -authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/)

-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)

-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url

How can I specify this resource in my client app?

client has not specified this resource in its requiredResourceAccess list

Answer 1

I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.

These are the steps I did:

1) In App services -> Authentication/authorization

• App Service Authentication => On
• Action to take when request is not authenticated => Login with AAD
• Configured AAD with Express settings (there you have to create Azure AD App for you API App - i.e. "App registration" for your service)

2) In Azure Active Directory -> App registrations

• Add registration for your client app
• Edit Manifest of your client app - in the requiredResourceAccess section you must add information about REST API App:
  • resourceAppId -> insert REST API App id here
  • resourceAccess {id} -> OauthPermission id value of REST API (you can get it in REST API's manifest!)

3) In your client application

• generate your REST client using Autorest (from solution explorer: Add\REST API client) or create it manually
• add Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack

• get and use token to access your API with code similar to this:

      //request
      (..)
      var tokenCreds = getToken();
      ServiceClientCredentials credentials = tokenCreds;
  
      using (var client = new YourAPI(credentials)) {
      ...
      }
      (..)
  
      //getting token
  
  private static TokenCredentials getToken()
  {
      //get this from Federation Metadata Document in 
      //Azure Active Directory App registrations -> Endpoints
      var authority = "f1...";
  
      //Identifier of the target resource that is the recipient of the requested token
      var resource = "https://yourapi.azurewebsites.net";
  
      //client application id (see Azure Active Directory App registration
      //for your client app
      var clientId = "a71...";
  
      //return url - not relevant for Native apps (just has to be valid url)
      var redirectUri = "https://just-some-valid-url.net";
  
      AuthenticationContext authContext =
      new AuthenticationContext(string.Format
      ("https://login.windows.net/{0}",
  authority));
  
      AuthenticationResult tokenAuthResult =
      authContext.AcquireTokenAsync(resource,
      clientId,
      new Uri(redirectUri),
      new PlatformParameters(PromptBehavior.Auto)).Result;
  
      return new TokenCredentials(tokenAuthResult.AccessToken);
  }