Thursday, December 5, 2019

One reason for Graph API call failure when it is done under delegated permissions

As you probably know you may call Graph API user app-only permissions and user delegated permissions. Here is example of authentication provider which can be used for calling Graph API under delegated permissions (using username and password):

public class AzureAuthenticationProviderDelegatedPermissions : IAuthenticationProvider
{
 public async Task AuthenticateRequestAsync(HttpRequestMessage request)
 {
  var delegatedAccessToken = await GetGraphAccessTokenForDelegatedPermissionsAsync();
  request.Headers.Add("Authorization", "Bearer " + delegatedAccessToken);
 }

 public async Task<string> GetGraphAccessTokenForDelegatedPermissionsAsync()
 {
  string clientId = ...;
  string userName = ...;
  string password = ...;
  string tenant = ...;
  
  var creds = new UserPasswordCredential(userName, password);
  var authContext = new AuthenticationContext(string.Format("https://login.microsoftonline.com/{0}", tenant));
  var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com", clientId, creds);
  return authResult.AccessToken;
 }
}

However when you call Graph API with delegated permissions you may get the following error:

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

The reason may be that app which app id is used for authentication is Default client type is set to private, i.e. “Treat application as a public client” set to No:

In order to fix it set Default client type to Public (set “Treat application as a public client” to Yes).

No comments:

Post a Comment