Public Client Application MSAL.NET deployed to Azure App Service

Avrohom Singer 0 Reputation points
2024-12-05T11:10:58.9666667+00:00

I have developed a Web-Api application which does access 3rd party users mail. The application is obtaining access through MSAL.NET with a PublicClientApplicationBuilder sample of which is shown at the following link: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications/351a92cd4066676281d9997c13e9e192db105080

It was working OK on my development machine, however I have now deployed the app on Azure App Service where it is not working.

Trouble is, that I can only provide a localhost redirect Uri for the Authentication flow. However, from a Azure App Service cannot listen to localhost - Access is denied.

Any suggestion please?

C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
11,152 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,093 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 68,486 Reputation points
    2024-12-05T22:02:09.5866667+00:00

    you need to register the hosted apps actual reply url in addition to localhost in entra.

    note: you are using the docs for a previous version. you should use the new docs:

    https://learn.microsoft.com/en-us/entra/msal/dotnet/


  2. Shree Hima Bindu Maganti 1,585 Reputation points Microsoft Vendor
    2024-12-17T18:51:17.4133333+00:00

    Hi Avrohom Singer ,
    Thank you for your response and for providing additional details.
    You need to switch to Authorization Code Flow to allow other users to interactively grant access to their resources.
    For web apps deployed in Azure App Service, ConfidentialClientApplication can still be used for interactive logins when users authorize your app.
    Replace your PublicClientApplication logic .

    var confidentialClient = ConfidentialClientApplicationBuilder.Create(clientId)
        .WithClientSecret(clientSecret) // Add your client secret here
        .WithRedirectUri("https://<your-app-name>.azurewebsites.net/signin-oidc")
        .Build();
    // Authorization code flow - acquire a token interactively
    var authResult = await confidentialClient.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();
    

    The code obtained after redirecting users to Azure AD login.

    Scopes representing the permissions your app needs.

    The error AADSTS7000229 indicates that your app registration doesn't have a service principal in the tenant.

    Ensure Service Principal Exists.

    Go to the Azure Portal > Azure Active Directory > Enterprise Applications.

    Search for your app by its Client ID.

    If the app is not found, re-create the service principal.
    az ad sp create --id <your-client-id>
    Navigate to Authentication in your app registration.

    Ensure Redirect URI matches your application URL, e.g., https://<your-app-name>.azurewebsites.net/signin-oidc.

    To allow users to log in and authorize your app interactively,

    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
        ?client_id={clientId}
        &response_type=code
        &redirect_uri={redirectUri}
        &scope={scopes}
        &response_mode=query
        &state=12345
    

    Use common for multi-tenant apps or your specific tenant ID.

    Permissions like User.Read or Mail.Read.

    Upon user consent, Azure AD will redirect back with an Authorization Code, which you can exchange for a token using AcquireTokenByAuthorizationCode.
    https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
    If the answer is helpful, please click "Accept Answer" and kindly upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.