What is the correct use of scopes and app roles in an Azure AD web api with user and daemon clients?
I have a web api to access "resources". These are not user specific resources.
There is a "reader" app role. User1 is added to "reader" role App1 has been granted permission to the "reader" role
[HttpGet]
[Authorize(Roles = "Reader")]
[RequiredScope("Asset.Read")]
public async Task<IActionResult> GetResource(Guid resourceId)
When user1 accesses the route, (with a token with the scope) it works.
When app1 tries to access the route it gets a 403 forbidden, even though it had ".default" which I thought would give it access to all scopes?
Question 1: Why can't app1 access the route?
Question 2: Why do I even need a scope? It seems like there is a lot of conflicting documentation on why to setup scopes.
Solution 1:
For your clear undestading i am picking your second question as first
Question 2: Why do I even need a scope? It seems like there is a lot of conflicting documentation on why to setup scopes.
.default
only include those scope or permission which you have added here.
In the app registration portal, applications can list the permissions they require, including both delegated permissions and application permissions. This setup allows the use of the .default
scope and the Azure portal's Grant admin consent option
Note : Application permissions can be requested only through the use of .default. So if your app needs application permissions, make sure they're listed in the app registration portal.
Question 1: Why can't app1 access the route?
Assuming, This may because the app role which you have created is only for Users/Groups
not for Both(Users/Group+Application)
.
Create a App Role for Both(Users/Group+Applications)
and once created you can add the role for Users/Groups and Application
as well from API permission.
API Permission->Add a permission->MyAPI->Select the Application in which you have created a app role->Application Permission- Select Permission->Add permission.
Now final do grant admin consent for that permission.
Now will all the above added Permission will comes under the .default
permission.