Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MauiAppWithBroker sample does not work with scope from downstream API #14

Open
kellygibsoncof opened this issue Dec 21, 2023 · 3 comments
Open

MauiAppWithBroker sample does not work with scope from downstream API #14

kellygibsoncof opened this issue Dec 21, 2023 · 3 comments

Comments

@kellygibsoncof
Copy link

This issue is for a: (mark with an x)

- [x] bug report 
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Use Case

I am a novice Maui developer starting a Maui app for Windows, and I want to:

  1. Authenticate to my company's Azure AD
  2. Receive an access token
  3. Use that access token to gain access to my secured Web API.

Minimal steps to reproduce

By following Microsoft example here: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API, I have created the sample TodoListService and TodoListClient app registrations in Azure Portal.

I have deployed a simple Web API secured by the TodoListService app registration.

Using Maui app sample for MauiAppBasic here https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppBasic, I am able to have the sample MauiAppBasic app call the TodoListClient registration and return an access token that is valid for calling the Web API secured by TodoListService. For this to work, the MauiAppBasic app must have config like this:

"Scopes": "api://<clientid>/access_as_user User.Read"
where is the client id guid from TodoListService app registration.

This works great with the MauiAppBasic sample -- it returns an access token to the Maui app that is valid for the Web API that is secured by TodoListService.

However, the issue is it does not work with the MauiAppWithBroker sample. When I change the TodoListClient app registration based on config instructions here for MauiAppWithBroker: https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppWithBroker#step-3-register-the-sample-applications-in-your-tenant, then attempt to run MauiAppWithBroker sample on Windows, I get the exception below.

I have checked and double-checked all config repeatedly.

Any log messages given by the failure

With MauiAppWithBroker sample and scope config of
"Scopes": "api://<clientid>/access_as_user User.Read"
function
SignInUserAndAcquireAccessToken(string[] scopes) throws an MsalException exception that looks like

WAM Error  
 Error Code: 0 
 Error Message: ApiContractViolation 
 WAM Error Message: Token response failed because declined scopes are present:'(pii)' 
 Internal Error Code: 593794722 
 Possible causes: 
 Invalid redirect uri - ensure you have configured the following url in the application registration in Azure Portal: ms-appx-web://microsoft.aad.brokerplugin/0ba8f63e-1ab9-4e27-9e2b-7a7b7eea7c12

The portal app registration for TodoListClient definitely has ms-appx-web://microsoft.aad.brokerplugin/0ba8f63e-1ab9-4e27-9e2b-7a7b7eea7c12 configured.

If I change the MauiAppWithBroker appSettings so that scope config looks like
"Scopes": "User.Read"
then the MauiAppWithBroker sample is able to return an access token from TodoListClient, however that access token is not valid for calling Web API secured by TodoListService.

Expected/desired behavior

The desired behavior is that, like the MauiAppBasic sample, the MauiAppWithBroker sample would return an access token from TodoListClient that is valid for calling Web API secured by TodoListService.

OS and Version?

Windows 11

Versions

.NET 8.0
Microsoft.Graph 5.35.0
Microsoft.Identity.Client 4.58.1
Microsoft.Identity.Client.Extensions.Msal 4.58.1

Can anyone tell me what this error means or what I am doing wrong? Thanks in advance for any insight you can give.
@mbellas-dumac
Copy link

Same issue, did you ever get a resolution?

@kellygibsoncof
Copy link
Author

I did not, but I am still interested in one.

@mbellas-dumac
Copy link

Took all day but got it working. In my case the problem was the user.read scope was the one that was coming back as declined (no idea why), which I figured out by turning on experimental features and logging:

var pca = PublicClientApplicationBuilder.Create(ClientId)
                            .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
                            .WithDefaultRedirectUri()
                            .WithExperimentalFeatures()
                            .WithLogging((l,m, b) =>
                            {
                                Debug.WriteLine(m);
                            }, enablePiiLogging: true)

Taking out user.read and setting my scopes array to this made it finally work.

  string[] scopes = {
      $"api://{ClientId}/scope",  //scope defined on the AD app
     // "user.read",  //Makes the whole process fail, do not use
      "email",
      "openid",
      "profile",
      "offline_access"
            };

Those other ones are just the scopes from Microsoft.Graph which I added to my app registration but don't know if that is required.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbellas-dumac @kellygibsoncof