Getting token but not scope inside that token using MSAL code

Question

I’m replacing AAD code to MSAL.

Login page first hit Startup.cs

Here I'm generating token using user info if generated token I checked with jwt encoder it shows scope.

Startup.cs

var graphApiResource ="https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.Configuration["Authentication:AzureAd:ClientId"])
.WithRedirectUri(x.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey])
.WithClientSecret(this.Configuration["Authentication:AzureAd:ClientSecret"])
.WithAuthority(this.Configuration["Authentication:AzureAd:AADInstance"] + this.Configuration["Authentication:AzureAd:TenantId"])
.Build();

var scopes = new string[] { $"{graphApiResource}/.default" };

AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenByAuthorizationCode(scopes, x.ProtocolMessage.Code).ExecuteAsync();
var token = authenticationResult.AccessToken;

This works perfectly fine. After this startup.cs code ran from userinfo.cs which is generating token but as I'm not passing any user details while generating token token generated do not have scope inside it and unable to use it successfully.

UserInfo.cs

var graphApiResource ="https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.configuration["Authentication:AzureAd:ClientId"])
            .WithRedirectUri($"{this.httpContextAccessor?.HttpContext.Request.Scheme}://{this.httpContextAccessor?.HttpContext.Request.Host}{this.configuration["Authentication:AzureAd:CallbackPath"]}")
            .WithClientSecret(this.configuration["Authentication:AzureAd:ClientSecret"])
            .WithAuthority(this.configuration["Authentication:AzureAd:AADInstance"] + this.configuration["Authentication:AzureAd:TenantId"])
            .Build();

var scopes = new string[] { $"{graphApiResource}/.default" };

AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
var token = authenticationResult.AccessToken;

What should be done?

Permission details:

My issue is previously I'm using old nuget i.e Microsoft. IdentityModel.Clients.ActiveDirectory

Code was this -

private async Task<string> GetAuthorizationHeaderCore(string resource)
{
    var objectId = (this.httpContextAccessor.HttpContext.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
    var userTenantId = (this.httpContextAccessor.HttpContext.User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid"))?.Value;

    var distributedTokenCache = new DistributedTokenCache(
        this.scopedCacheFactory,
        this.dataProtectionProvider,
        this.telemetryClient,
        userTenantId + ":" + objectId
    );

    var clientCredential = new ClientCredential(this.authOptions.ClientId, this.authOptions.ClientSecret);
    var authenticationContext = new AuthenticationContext(this.authOptions.AADInstance + this.authOptions.TenantId, distributedTokenCache);

    AuthenticationResult authenticationResult;

    var accessToken = await GetTokenWithFallBackAsync(this.httpContextAccessor.HttpContext, "access_token");
    if (accessToken != null)
    {
        if (this.httpContextAccessor?.HttpContext?.Items?["isAuthenticatedService"] as bool? == true)
        {
            authenticationResult = await authenticationContext.AcquireTokenAsync(resource, this.backgroundServiceClientCredential).ConfigureAwait(false);
        }
        else
        {
            var userPrincipalName = this.httpContextAccessor.HttpContext.User.Identity.Name;
            var userAssertion = new UserAssertion(accessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userPrincipalName);
            authenticationResult = await authenticationContext.AcquireTokenAsync(resource, clientCredential, userAssertion).ConfigureAwait(false);
        }
    }
    else
    {
        // Just hope we already have a token (openid case)
        var userIdentifier = new UserIdentifier(objectId, UserIdentifierType.UniqueId);
        authenticationResult = await authenticationContext.AcquireTokenSilentAsync(resource, clientCredential, userIdentifier);
    }

    return authenticationResult.CreateAuthorizationHeader();
}

Now I want to use msal nuget i.e Microsoft.Identity.Client so want to convert above code which can work for new nuget.

Answer 1

Note that, you need to grant permissions of Application type while using client credentials flow that are visible in roles claim of decoded token.

I registered one Azure AD application and granted API permissions of Application type as below:

Now, I generated access token using client credentials flow with your code as below:

using Microsoft.Identity.Client;

var graphApiResource = "https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create("appID")
            .WithClientSecret("secret")
            .WithAuthority("https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize")
            .Build();

var scopes = new string[] { $"{graphApiResource}/.default" };

AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
var token = authenticationResult.AccessToken;
Console.WriteLine($"Access Token: {token}\n");

Response:

To confirm that, I decoded this token in jwt.ms website where it has roles claim with Application permissions as below:

You can now use this token to fetch user info of any user in that tenant like this:

using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
using Microsoft.Identity.Client;

class Program
{
    static async Task Main(string[] args)
    {
        string accessToken = await GetAccessToken();

        if (!string.IsNullOrEmpty(accessToken))
        {
            await GetUserDetails(accessToken, "user_id_here"); // Replace "user_id_here" with the actual user ID
        }
    }

    static async Task<string> GetAccessToken()
    {
        string clientId = "appId";
        string clientSecret = "secret";
        string tenantId = "tenantId";

        var app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithClientSecret(clientSecret)
            .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
            .Build();

        var scopes = new string[] { "https://graph.microsoft.com/.default" };

        var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
        return result.AccessToken;
    }

    static async Task GetUserDetails(string accessToken, string userId)
    {
        var graphApiEndpoint = $"https://graph.microsoft.com/v1.0/users/{userId}";

        using (var client = new HttpClient())
        {
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

            var jsonResponse = await client.GetStringAsync(graphApiEndpoint);

            Console.WriteLine("User Details:");
            Console.WriteLine(jsonResponse);
        }
    }
}

Response:

If your use case is to fetch signed-in user details, you must use delegated flows like authorization code flow, interactive flow, etc... for generating access token that involves user interaction, by granting Delegated permissions.