i am calling an external REST API which uses AAD based authentication I am using the access token generated for a service principal (app registration) in my tenant and I have granted appropriate permission/admin consent to my app on the permission defined by external API.
i generate the access token using endpoint "https://login.microsoftonline.com/{aadtenantId}/oauth2/token" and grant_Type of client_credentials and appropriate audience.
external API is using WindowsAzureActiveDirectoryBearerAuthenticationOptions(doc) to validate the incoming token.
when I call API with above token it returns 401 with message “Invalid authorization bearer is passed (invalid_grant)”.
how can i know what is the option in WindowsAzureActiveDirectoryBearerAuthenticationOptions that controls the grant_type to be validated for token. trying to understand what is the grant_type external API has configured to allow. I have the access to source code of external API, and i don't see anything in the code that controls/validate grant_type.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and Exposed the API:
I generated the Access Token with below parameters:
To validate the token, make sure to configure the
UseWindowsAzureActiveDirectoryBearerAuthenticationclass like below:The error "401 Invalid authorization bearer is passed (invalid_grant)" usually occurs if you are passing wrong/invalid resource or scope. Try generating the token with valid resource and try.
If still the issue persists, try using
v2.0Endpoint to generate the token like below: