Authorization for ApiController in Blazor Server

Question

Starting points:

• one azure tenant + azure AD/Entra;
• one blazor server app deployed on App Service (+ App registration and managed identity)
  • with an ApiController behind Authorization to be accessed by
• one azure function (+ App registration and managed identity)
  • through HttpClient + Bearer token
  • triggered through Queue storage
• all is based on .net6 (migration to .net8 not planned for now)

In Azure when trying to access the api I'm getting a 401 HTTP response code; in development I'm getting a 302 response which is ultimately leading to a 'soft failure' (= not calling the api).

(Note: the Blazor Server primary role is an SPA with auth for organizational accounts; the ApiController is there for notifications from the Azure Function)

I've created an app role for application in the Blazor App Registration and given permissions to the Azure function; I've even exposed the API in the Blazor App registration and given permissions to the Azure function too (although this was listed as delegated permission which, I guess, should not help at all).

I'm aware of a possible solution where I get rid of the ApiController and bind both apps to a SignalR hub (as it is basically what I'm trying to achieve at the moment) but that doesn't solve how to access such ApiControllers.

I guess I need to configure the Blazor Server app to accept bearer tokens but as I'm relatively new to this whole ecosystem I'm not sure how exactly should that section look like.

Any help is welcomed, thanks.

Update: I added following to the Program.cs code:

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

Now the ApiCall succeeds, but it has overridden the previously added section

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .[ommited]

Seems the next step is to combine these two and use OpenId for web interaction and JWT for api calls... - Done.

Continuation (Edit Nr.2)

The answer I posted works for localhost, but I'm still getting 401 when all is deployed in the azure ecosystem. Seems I'm missing some azure configuration point...

Edit (hopefully final)

I was missing the AzureAd section in the deployed config... yep... obvious... should have noticed way sooner.

Anyway, the answer I posted works now. Also the only needed permission was to create the App role in App Registration, and exposing the API to get the scope for token request.

Answer 1

The solution was unsurprisingly simple.

In Program.cs I replaced

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
    .[ommited];

with:

var auth = builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);
auth.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
    .[ommited];
auth.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

and adjusted the [Authorize] attribute to use the "Bearer" Schema:

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]