The client FE app (Blazor WASM) signs in the user and then passes the access token along to the server BE app (ASP.NET Core Web API). Now, I'd like to somehow add the Graph client to the DI container in the server app and make calls to Graph API from services and controllers there. How do I do that?
Client app configuration
Client - Program.cs
builder.Services.AddMsalAuthentication(options =>{ builder.Configuration.Bind("AzureAd", options.ProviderOptions);});builder.Services .AddHttpClient(HttpClients.SERVER_API, client => { client.BaseAddress = new Uri(appSettings.ServerApi.Url); }) // This configues the client to add the JWT to the 'Authorization' header // for every request made to the authorized URLs. .AddHttpMessageHandler(sp => sp.GetRequiredService<AuthorizationMessageHandler>() .ConfigureHandler( authorizedUrls: [ appSettings.ServerApi.Url ], scopes: [ appSettings.ServerApi.AccessScope ] ));Client - appsettings.json
"AzureAd": {"Authentication": {"Authority": "https://login.microsoftonline.com/my-authority-here","ClientId": "client-id-here" },"DefaultAccessTokenScopes": ["api://server-app-id-here/API.Access","https://graph.microsoft.com/User.Read" ]}Server app configuration
Server - Program.cs
var builder = WebApplication.CreateBuilder(args);builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApis:MicrosoftGraph")) .AddInMemoryTokenCaches();Server - appsettings.json
"AzureAd": {"Instance": "https://login.microsoftonline.com/","Domain": "myusername.onmicrosoft.com","TenantId": "my-tenant-id","ClientId": "server-app-client-id","ClientSecret": "server-app-secret","Scopes": "API.Access","CallbackPath": "/signin-oidc"},"DownstreamApis": {"MicrosoftGraph": {"BaseUrl": "https://graph.microsoft.com/v1.0","Scopes": "User.Read" }},Server - Calling Graph
using Microsoft.AspNetCore.Mvc;using Microsoft.Graph;using Microsoft.Identity.Web;namespace ChatPortal.Server.Controllers;[Route("api/[controller]")][ApiController]public class TestController : ControllerBase{ private readonly GraphServiceClient _graphClient; public TestController(GraphServiceClient graphClient) { _graphClient = graphClient; } [HttpGet("graph")] public async Task<IActionResult> GraphTest() { var user = await _graphClient.Me.GetAsync(); return Ok(); }}Azure setup
Client app registration
API Permissions:
- MyServerApp: API.Access, Type: Delegated, Status: Granted
- Microsoft Graph: User.Read, Type: Delegated, Status: Granted
Server app registration
Expose an API:
- Scopes: api://my-server-app-id-here/API.Access
- Authorized client applications: my-client-app-id-here
The problem
If I remove the "https://graph.microsoft.com/User.Read" scope to DefaultAccessTokenScopes in the client's appsettings.json file I get this error when trying to call Graph:
[12:47:58 ERR] An unhandled exception has occurred while executing the request.Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. ---> MSAL.NetCore.4.66.1.0.MsalUiRequiredException: ErrorCode: invalid_grantMicrosoft.Identity.Client.MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application with ID 'my-id-here' named 'ChatPortal.Server'. Send an interactive authorization request for this user and resource.I tried following the link the error provides for "managing incremental consent" and getting the token in the TestController through ITokenAcquisition but that seemingly tries to get the token from Azure. That doesn't seem correct for this scenario (and it doesn't work) -- I already have the access token in the Request.Headers.Authorization property. The question is how I use it with the GraphServiceClient...
If I keep the User.Read scope in the DefaultAccessTokenScopes this is the error I get:
Request URL: https://login.microsoftonline.com/my-tentant-id-here/oauth2/v2.0/tokenInvalid request: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://server-app-id-here/API.Access https://graph.microsoft.com/User.Read openid profile offline_access is not valid.