Hi,
I'm using this library to register 2 applications (a web api, and a windows10-UWP client app) into my AAD.
I first create the web api as followed:
Application appObject = new Application { DisplayName = displayName };
appObject.IdentifierUris.Add(identifierUri);
appObject.ReplyUrls.Add(replyURL);
appObject.Homepage = replyURL;
appObject.AvailableToOtherTenants = false;
appObject.GroupMembershipClaims = "All";
appObject.ObjectType = "Application";
// created Keycredential object for the new App object
PasswordCredential pwdCredential = new PasswordCredential
{
StartDate = DateTime.UtcNow,
EndDate = DateTime.UtcNow.AddYears(2),
Value = secret,
};
appObject.PasswordCredentials.Add(pwdCredential);
var AADAccess = new RequiredResourceAccess();
AADAccess.ResourceAppId = "00000002-0000-0000-c000-000000000000";
AADAccess.ResourceAccess.Add(new ResourceAccess()
{
//"Read directory data"
Id = Guid.Parse("5778995a-e1bf-45b8-affa-663a9f3f4d04"),
Type = "Role,Scope",
});
AADAccess.ResourceAccess.Add(new ResourceAccess()
{
//"Sign in and read user profile"
Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
Type = "Scope",
});
AADAccess.ResourceAccess.Add(new ResourceAccess()
{
//"Access the directory as the signed-in user"
Id = Guid.Parse("a42657d6-7f20-40e3-b6f0-cee03008a62a"),
Type = "Scope",
});
appObject.RequiredResourceAccess.Add(AADAccess);
activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
This creates the application just fine, it also implicitly creates an "user_impersonation"-claim.
I then retrieve this user_impersonation-claim's Id (and the app id) as followed:
var webapiClientId = tenantWebApp.AppId;
var webapiUserAccessClaimId = tenantWebApp.Oauth2Permissions.Where(s => s.Value == "user_impersonation").Select(s => s.Id).FirstOrDefault();
This application is now visible in the management portal in the AAD. Everything in the "Configuration"-tab looks fine.
Then I create the client application as followed:
Application appObject = new Application { DisplayName = displayName };
appObject.ReplyUrls.Add("ms-app://TEMP/");
appObject.ObjectType = "Application";
appObject.PublicClient = true; //"Native Client App"
appObject.AvailableToOtherTenants = true;
// Add the proper rights to the AAD
var AADAccess = new RequiredResourceAccess();
AADAccess.ResourceAppId = "00000002-0000-0000-c000-000000000000";
AADAccess.ResourceAccess.Add(new ResourceAccess()
{
//"Sign in and read user profile"
Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
Type = "Scope",
});
appObject.RequiredResourceAccess.Add(AADAccess);
// Add the proper rights to the Tenant Web API
var AADAccess2 = new RequiredResourceAccess();
AADAccess2.ResourceAppId = webapiClientId;
AADAccess2.ResourceAccess.Add(new ResourceAccess()
{
//Our "user_impersonation"-claim.
Id = webapiUserAccessClaimId,
Type = "Scope",
});
appObject.RequiredResourceAccess.Add(AADAccess2);
activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
As you can see, the client application is given access to the web api by the "user_impersonation"-claim.
Now, when verifying this in the management portal, the application is present. HOWEVER, in the "configuration"-tab, near the bottom with "permissions to other applications", I see this:
" Delegated Permissions: 0"
instead of " Delegated Permissions: 1"
I can't open the dropdown at "Delegated Permissions" and can't select the user_impersonation-claim.
Now, the funny thing is, when I go to the web api's configuration in the AAD and change anything (e.g. add a reply url "http://tmp") and press "Save". The client's permissions are now OK !
Is there anything I'm missing or am I doing something in the wrong order?