5

I am using Micrsoft Graph APIs to programatically register a client app, resource server and assign role from the resource server to the client app. Here are the steps followed:

  1. Get Access Token --> https://login.windows.net/<Tenant_Id>/oauth2/token/?api-version=1.6

  2. Client App Registration --> https://graph.windows.net/<Tenant_Id>/applications/?api-version=1.6

  3. Client Service Principal

  4. Resource Server Registration with below app role in manifest:

"appRoles": [
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "description": "Description of Role - Resource_API_11092017",
    "displayName": "Role_Resource_API_11092017",
    "id": "5ff0033d-fa87-4a77-9b3d-b4b201dfc32e",
    "isEnabled": true,
    "value": "Read_Only_Resource_API_11092017"
  }
],

  1. Resource Server Service Principal creation

  2. Assigning Role to client App.

When i am trying to get the access token using the credentials of the client app, I am not getting any roles in the JWT nor any information of the resource server.

I even Grant Permission from the portal in the client app to the role of the resource server. But still no luck.

Any help will be appreciated. Let me know if you need more details.

Thanks.

@Update on 11/14/2017:

Please find the Payload of the JWT.

{
  "aud": "https://xxxxx.onmicrosoft.com/Resource_API_11092017",
  "iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
  "iat": 1510679930,
  "nbf": 1510679930,
  "exp": 1510683830,
  "aio": "Y2NgYLipff1Ghn65atEd97grbjxxxx==",
  "appid": "3ec8690d-xxxx-xxxx-xxxx-739709a758cc",
  "appidacr": "1",
  "idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
  "tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6",
  "ver": "1.0"
}

The service principal does not contain any Role in it. But I have assigned the Role_Assigned_API_11092017 as Application Permissions using portal. This Role_Assigned_API_11092017 is defined as Role in the resource app Resource_API_11092017.

Permissions are granted from the Resource_API_11092017 through Portal.

redcalx
  • 8,177
  • 4
  • 56
  • 105
amiivas
  • 61
  • 1
  • 2
  • 7
  • Hi. What information are you getting back? Are you getting any claims? Whats your decoded JWT look like? – Usman Mutawakil Nov 13 '17 at 22:37
  • You can check your appRoleAssignments with the [Graph Explorer](https://graphexplorer.azurewebsites.net/). Your client app's service principal should have them, so try `https://graph.windows.net/tenant-id/servicePrincipals/client-sp-id/appRoleAssignments`. – juunas Nov 14 '17 at 06:51
  • Those assignments should be created when you press Grant permissions. – juunas Nov 14 '17 at 06:51
  • @UsmanMutawakil, thanks for responding. please find sample JWT below. – amiivas Nov 14 '17 at 17:34
  • @juunas, please find my answer updated. – amiivas Nov 14 '17 at 18:13
  • Did you grant the permission to the *client app*? – juunas Nov 14 '17 at 19:01
  • @juunas, yes I did. – amiivas Nov 14 '17 at 19:54
  • Then the client app service principal should have the appRoleAssignment. If it doesn't, the permissions were not granted properly. Are you logged in as an azure ad admin? – juunas Nov 14 '17 at 19:56
  • @juunas, yes I am logged in as AD admin for my account and the Grant permissions was also clicked. is something else I am missing. – amiivas Nov 14 '17 at 21:17

1 Answers1

1

I was able to get role claims in the token. Here are the steps you need to follow if you want your client app to have roles defined in the resource app.

  1. Create client App.
  2. Create service principal of the client app.
  3. Create resource app with roles defined as:
"appRoles": [{
    "allowedMemberTypes": [
      "Application"
    ],
  1. Create service principal for the resource app.
  2. Patch the client app and resource app with the roles defined in the resource app. - Allow Roles in the Required Permission section of the client app
  3. Grant permission on the client app logging through your admin account from azure portal ` Apart from step 6, everything can done using Microsoft Graph API using access token of an app which is having adequate permissions to register app in your directory.

If anyone is having corresponding API for Grant Permission action from the client app. Please let me know. For now we are taking this a manual step.
Thanks.

{
  "aud": "https://xxxxxxx.onmicrosoft.com/resource_app_11202017",
  "iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
  "iat": 1511209576,
  "nbf": 1511209576,
  "exp": 1511213476,
  "aio": "Y2xxxxBlVE3nxxxxHtx3xSxxxxLAQ==",
  "appid": "dffe69ef-xxxx-xxxx-xxxx-3550bxxxxbd7",
  "appidacr": "1",
  "idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
  "oid": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
  "roles": [
    "readonly_role_resource_app_11202017",
    "writeonly_role_resource_app_11202017"
  ],
  "sub": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
  "tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6",
  "uti": "VW6inKHUI0SgkuNMi6AcAA",
  "ver": "1.0"
}
redcalx
  • 8,177
  • 4
  • 56
  • 105
amiivas
  • 61
  • 1
  • 2
  • 7