[Question/Bug] On behalf of flow vs App to app communication flow.

[TaranbirBhullar]

Using Microsoft.Identity.Web 1.1.0

Hi @jmprieur

We have a React Web App and .NetCore 3.1 based WebAPI, supporting on-behalf-of flow to call MsGraph.
Steps taken

1. React WebApp uses Msal.js to obtain token for the backend AppId with extraScopes (User.ReadBasic.All) for graph
2. WebAPI uses the following LOC in the Startup.cs to enable "on-behalf-of" flow.

services.AddAuthentication("Bearer")
          .AddMicrosoftIdentityWebApi(configuration)
          .EnableTokenAcquisitionToCallDownstreamApi()
          .AddInMemoryTokenCaches();

In our services we have the following
string accessToken = await this.tokenAcquisition.GetAccessTokenForUserAsync(new [] { "User.ReadBasic.All" });
using this as a Bearer token, I am able to call MsGraph.

At this point, we have some endpoints that another service wants to call, and we want to authenticate them.
ServiceA (different App Registration) =calls=> OurService (different App Registration)

When ServiceA calls OurService, it uses the following scope api://<appGuid>/.default, it means that it does not have roles or scopes. Therefore it throws this exception
throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");

To get around that, I update the OntokenValidated in the following way

var existingOnTokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
{
          await Task.CompletedTask.ConfigureAwait(false);
};

This allows ServiceA to call some of OurService endpoints, since it no longer is checking if Scopes/Roles exist in the token provided.

At this point OurService, when called through our WebApp, is no longer able to call MsGraph on behalf of the user.
I did a bit of digging through the code, I found this

context.HttpContext.StoreTokenUsedToCallWebAPI(context.SecurityToken as JwtSecurityToken);
context.Success();

It seems to me that the token used to call OurService using WebApp is no longer being stored, causing this issue.
IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user

I'm stuck at this point.

1. If I remove the OnTokenValidation changes I've made, I am able to call MsGraph, but ServiceA can't call OurService
2. If I keep the changes for OnTokenValidation then, I can't call MsGraph but ServiceA can call OurService

Any pointers here would be really appreciated.

[jmprieur]

@TaranbirBhullar :

Fixing the two following issues should make it work:

1. the default authentication scheme should not be "Bearer", but JwtBearerDefaults.AuthenticationScheme. If you want to use your own scheme, be sure to also pass it in the other methods (AddMicrosoftIdentityWebApi in particular)

2. There is no scope in the token because the tenant admin has not consented for any API permissions in the app registration. This is needed if you want to use .default

[jmprieur]

@TaranbirBhullar : closing this question. It's going to be addressed in the following feature: #707

cc: @jennyf19 (this is for Elixir)