What is the correct use of scopes and app roles in an Azure AD web api with user and daemon clients?

I have a web api to access "resources". These are not user specific resources.

There is a "reader" app role. User1 is added to "reader" role App1 has been granted permission to the "reader" role

[HttpGet]
[Authorize(Roles = "Reader")]
[RequiredScope("Asset.Read")]
public async Task<IActionResult> GetResource(Guid resourceId)

When user1 accesses the route, (with a token with the scope) it works.

When app1 tries to access the route it gets a 403 forbidden, even though it had ".default" which I thought would give it access to all scopes?

Question 1: Why can't app1 access the route?

Question 2: Why do I even need a scope? It seems like there is a lot of conflicting documentation on why to setup scopes.


Solution 1:

For your clear undestading i am picking your second question as first

Question 2: Why do I even need a scope? It seems like there is a lot of conflicting documentation on why to setup scopes.

.default only include those scope or permission which you have added here.

enter image description here

In the app registration portal, applications can list the permissions they require, including both delegated permissions and application permissions. This setup allows the use of the .default scope and the Azure portal's Grant admin consent option

Note : Application permissions can be requested only through the use of .default. So if your app needs application permissions, make sure they're listed in the app registration portal.



Question 1: Why can't app1 access the route?

Assuming, This may because the app role which you have created is only for Users/Groups not for Both(Users/Group+Application).

enter image description here

Create a App Role for Both(Users/Group+Applications) and once created you can add the role for Users/Groups and Application as well from API permission.

API Permission->Add a permission->MyAPI->Select the Application in which you have created a app role->Application Permission- Select Permission->Add permission.

enter image description here

Now final do grant admin consent for that permission.

enter image description here

Now will all the above added Permission will comes under the .default permission.