Develop Reference

Two identical Azure apps with different access_token format - one JWT, the other non-JWT

When accessing /.auth/me, one app has the access_token in the correct JWT format, but in the other app it's not in JWT format.
This is the valid JWT one: eyJ0eXAiOiJKV1QiLCJu...eyJhdWQiOiJodHRwczov...B84ciSKwF2oOre5n
This is the non-JWT one: PAQABAAAAAAD--DLA3VO7QrddgJg7WevrTLy
The configuration for both apps appear to be identical.
Any idea how to fix the second app to also show JWT access token?

Usually when the authentication flow configuration has not included resource
as one of the parameter, the access token does not have form of a (
JSON Web Token)JWT token token format.
Please try to include resource with your application Id Uri or
resource that your application requires . To find the App ID URI, in
the Azure portal, click Azure Active Directory, click App
registrations, click the service application, and then click Settings
and Properties.
Also set the clientId and client secret in the request.
In other cases just to access the app service you could use id_token or Bearer as response_type in authorization header as Authorization:Bearer "{your-id-token}".
Reference:Oauth 2.0 grant credentials ,Access token request | Microsoft Docs
You can make use of azure resource explorer to edit the properties of the app service auth to include the resource if not already included. See resource provider and types
To get an access token, please try to set the resource using the Azure Resource Explorer.
Navigate to the Resource Explorer from the App Service.
Go to config > authsettings and click on Edit.
Update the additionalLoginParams with ["resource=<Name/ID of the resource>"] and click on PUT.
For example:
“additionalLoginParams”: [
“resource=https://graph.microsoft.com ”
]
Then by saving changes and refreshing the App Service, try again and check that the value for the access token is in the form of a JWT token or not.

Issue in generating token with scope in Microsoft AAD using react. (401 Unauthorized)

I am using react-aad-msal and msal packages for implementing authentication using azure active directory. I am able to get the access token but every time the token is validated as "Invalid token" by back-end(.net core). Server is throwing error below error.
System.UnauthorizedAccessException: Neither scope or roles claim was found in the bearer token.
I am able to access all web services by authenticating with response_type "code" in postman.
I have tried to decode the token in jwt.io. It is clearly the issue with scope. I am attaching the image of config file in react.
config
In the image, the blurred part in blue color is clientId from AAD app.
In above config, I have provided the scope, but after decoding the token I am not getting the scope field.

You cannot directly request /common, because it will not be able to respond to your scope or role because you can't find the tenant you want to request the token. You should add your tenant URI (domain.onmicrosoft.com) or tenant id when requesting .
https://login.microsoftonline.com/{your-tenant-uri-or-your-tenant-id}/oauth2/v2.0/token

Azure active directory using loginwithazureactivedirectory and expressmode

we want to use azure active directory for function app authetication after enabling azureactive directory express mode.we have selected loginwithazureactivedirectory option.
when we are hitting function through postman it is giving html of log in screen of micro soft.
with out that sceen cant we access the fucntion app uRL.
Please find the below screen for your reference
Any help is appreciated on this

After you successfully configure Azure AD for your web app, you need to use the access token to access your application.
I get an access token from AAD using clientID and clientSecret using the following code:
METHOD: POST
Url : https://login.microsoftonline.com/your directory ID/oauth2/token
HEADERS: Content-Type : application/x-www-form-urlencoded
BODY: grant_type+=client_credentials&resource+=”your Function url”&client_id+++++=”the application that your register id”&client_secret+=”the key you create”
Please note that according to the Azure Resources
portal(https://resources.azure.com/), the default allowedAudiences is
"https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"
So I add the https://{functionAppName}.azurewebsites.net/ as allowed
aduiences
enter image description here
Then I can use the access token directly. I test it with postman.
enter image description here
Please note that if your azure function authentication level is not
anonymous, you need to add the function key

Swaggerbuckle with AAD --Error AADSTS500013: Resource identifier is not provided

I'm trying to use AzureAD to get a token in swagger and test my .netCore2.1 API with it.(using Swashbuckle.AspNetCore 4.0.1)
To do this I completed the following steps
1. Created a Web API project(asp.net Core2.1)
2. Register an Azure AD (AAD) app for the Web API
3. Updated the Web API project to use Azure AD authentication
4. Register an AAD app for the Swagger web site https://localhost:5001/swagger
5. Granted permissions for the Swagger AAD app to access the Web API AAD app
6. Generated a Client Secret for the Swagger AAD app
7. Enabled OAuth2 implicit flow on the Swagger AAD app
8. Added Swagger to the Web API project
When I authenticate, I am getting the following error.
Error AADSTS500013: Resource identifier is not provided .
When I click authorize
I am getting error AADSTS500013: Resource identifier is not provided.
My WebAPI project's startup.cs file goes here
Please help me understand which resource Identifier I am missing here or how to resolve this error.
Or any pointers on how to use Swaggerbuckle with ASP.NET Core webAPI, especially with AAD authenticated WebAPI ?
UPDATES
I copied my webAPI's APPID URI from azure portal. ie Dashboard>>Microsoft - App registrations>>MY_API_APP>>Settings>>Properties>>App ID URI
But I am still getting the same error when I try to authenticate
Error AADSTS500013: Resource identifier is not provided

Usually resource identifier which uniquely identifies your application. You can easily found your resource Identifier Like below:
When logged into the Azure portal, Azure Active Directory > App Registrations > [App Name] > Settings> Properties, then it's the App ID URI
See the screen shot:
In the orignal OAuth 2.0 specification, there is no resource parameter in the authorization request. It use scope parameter. The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter.
As document explains, when Azure AD implement the OAuth 2.0(1.0 endpoint), the resource is used to specify the access_token you request for which resource. And the Azure AD will issue the token which the scp based on the permission you config on the portal for the resource.
And in the v2.0 endpoint, the Azure AD also use the scope to support the dynamic permission request. More detail you can have a look here.
Usual Reason for Error
Make sure you have configured below steps accordingly.
Like below:
Application Manifest
Reply URI
Request Endpoint
For V1.0 refer this URI https://login.microsoft.com//oauth2/authorize
For V2.0 refer this URI https://login.microsoft.com//oauth2/v2.0/authorize
Application Consent
Need to confirm your application required resource access permission you could refer here
I believe this step can lead you to sort out your problem.

With Azure AD V1.0 app you need set resource to identify which api you want to access during the authentication&access token requests :
Code flow :
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Implicit flow :
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-implicit-grant-flow
In Swashbuckle.AspNetCore 4.0.1 , you need to config the resource as parameter if you want to get access token for accessing your web api :
app.UseSwaggerUI(options =>
{
options.SwaggerEndpoint("/swagger/v1/swagger.json", "MySite API V1");
options.OAuthClientId("19c73866-562f-482a-bafb-89d9fe9b0aaa");
options.OAuthAppName("Swagger Api Calls");
// add resource
options.OAuthAdditionalQueryStringParams(new Dictionary<string, string>() { { "resource", "f479db30-9b62-431b-98c2-bcaae52203cf" } });
});

For us Nan Yu's response got us one step closer.
We added the resource in the AdditionalQuerystringParams like so:
options.OAuthAdditionalQueryStringParams(new Dictionary<string, string>() { { "resource", "{ResourceIDHere}" } });
We are now able to get passed the Auth step in Swagger, but trying routes out doesn't seem to pass the token to the api called and so we get a 401 Error.

change { "scope", API_AppID_URI} to { "resource", API_AppID_URI}

GetAppServiceIdentityAsync AAD returns null

I have a working Azure Mobile .NET backend which has a requirement to expose data securely through a TableController.
The table controller has the the [Authorize] attribute on the controller class definition and I have Token Store Enabled in the Azure Portal's Authentication / Authorization blade.
I'm using the following code to get the user's credentials passed by the mobile client app:
var creds = await this.User.GetAppServiceIdentityAsync(this.Request);
However, when deployed to the Azure portal this always returns a NULL exception; digging deeper I can see "Exception=System.ArgumentOutOfRangeException: The 'principal' parameter must be of type 'ClaimsPrincipal'."
Using JWT.IO, I've inspected the token being passed from the client app and the token looks 100% correct.
With the backend deployed to the Azure Portal and a breakpoint set I see that this.User is null!
How do I get access to the user's credentials, has anyone got this working?
Cheers,
Iain