Close

Azure AD support in browser and Postman

I have been struggling a bit with Azure Active Directory authentication of WebApps. First I tried to access the service via Chrome. The idea was to use the so-called Developer Tools to obtain the security token.

I tried the following address:
https://archibusgatewayservice.azurewebsites.net/api/serviceorders
And I get the error:
<Error>
<Message>Authorization has been denied for this request.</Message>
</Error>

Then I developed a custom client to get the token. The relevant code fragment is shown below:

authContext = new AuthenticationContext(authority);
AuthenticationResult authResult = authContext.AcquireToken(apiResourceId, clientId, redirectUri);

HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(“application/json”));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, authResult.AccessToken);

string postBody = “{‘ServiceNumber’: ‘TEST001’}”;

HttpResponseMessage response = await client.PostAsync(apiBaseAddress + “api/serviceorders”, new StringContent(postBody, Encoding.UTF8, “application/json”));
response.EnsureSuccessStatusCode();
string responseString = await response.Content.ReadAsStringAsync();

If you do a quickwatch on the client created you actually see the authorization header:
Bearer eyJ0e…

Then I went to Postman, entered the authorization header and voila: it works!

Postman

Now back to the browser. What I found out is that it makes a difference how you configure Authentication / Authorization for the Web App in the Azure Preview Portal. If you switch Authentication/Authorization off in the Preview Portal, both the client application and Postman work, but the browser doesn’t work. If you switch it on, it’s just the other way around. The browser redirects you to a login page when you enter the following address:
http://archibusgatewayservice.azurewebsites.net

Azure WebSite Authentication

Now you can do a get call via the browser (posts are not possible) and then you will find out that you still can’t find the security token. That makes sense. Active Directory credentials are never sent with the request, so you will never find them via the Developer Tools. I think if you use a MicroSoft account to authenticate that you will find a so-called zumo token (specify a X-ZUMO-AUTH header).