you need to register the hosted apps actual reply url in addition to localhost in entra.
note: you are using the docs for a previous version. you should use the new docs:
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have developed a Web-Api application which does access 3rd party users mail. The application is obtaining access through MSAL.NET with a PublicClientApplicationBuilder
sample of which is shown at the following link: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications/351a92cd4066676281d9997c13e9e192db105080
It was working OK on my development machine, however I have now deployed the app on Azure App Service where it is not working.
Trouble is, that I can only provide a localhost redirect Uri for the Authentication flow. However, from a Azure App Service cannot listen to localhost - Access is denied.
Any suggestion please?
you need to register the hosted apps actual reply url in addition to localhost in entra.
note: you are using the docs for a previous version. you should use the new docs:
Hi Avrohom Singer ,
Thank you for your response and for providing additional details.
You need to switch to Authorization Code Flow to allow other users to interactively grant access to their resources.
For web apps deployed in Azure App Service, ConfidentialClientApplication
can still be used for interactive logins when users authorize your app.
Replace your PublicClientApplication
logic .
var confidentialClient = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret) // Add your client secret here
.WithRedirectUri("https://<your-app-name>.azurewebsites.net/signin-oidc")
.Build();
// Authorization code flow - acquire a token interactively
var authResult = await confidentialClient.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();
The code obtained after redirecting users to Azure AD login.
Scopes representing the permissions your app needs.
The error AADSTS7000229
indicates that your app registration doesn't have a service principal in the tenant.
Ensure Service Principal Exists.
Go to the Azure Portal > Azure Active Directory > Enterprise Applications.
Search for your app by its Client ID.
If the app is not found, re-create the service principal.
az ad sp create --id <your-client-id>
Navigate to Authentication in your app registration.
Ensure Redirect URI matches your application URL, e.g., https://<your-app-name>.azurewebsites.net/signin-oidc
.
To allow users to log in and authorize your app interactively,
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?client_id={clientId}
&response_type=code
&redirect_uri={redirectUri}
&scope={scopes}
&response_mode=query
&state=12345
Use common
for multi-tenant apps or your specific tenant ID.
Permissions like User.Read
or Mail.Read
.
Upon user consent, Azure AD will redirect back with an Authorization Code, which you can exchange for a token using AcquireTokenByAuthorizationCode
.
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
If the answer is helpful, please click "Accept Answer" and kindly upvote it.