UserAssertion null in OBO provider
rjhaines opened this issue · 3 comments
I'm seeing a null UserAssertion parameter value on the first call to OnBehalfOfProvider.AuthenticateRequestAsync:
I'd appreciate any insights. Thanks!
@rjhaines You need to call .WithUserAssertion passing a validated service token as a UserAssertion. Here is an example of how to do that.
// Create client application.
IConfidentialClientApplication clientApplication = OnBehalfOfProvider.CreateClientApplication(clientId, redirectUri, clientCredential);
OnBehalfOfProvider authenticationProvider = new OnBehalfOfProvider(clientApplication, scopes);
// Configure GraphServiceClient with provider.
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
// Make a request with your user assertion
User me = await graphServiceClient.Me.Request().WithUserAssertion(new UserAssertion("validated_token")).GetAsync();We will add documentation that explains how to use and extend our auth providers.
@pwombwa Thanks for your comment and proposed follow-ups.
In the meantime, can you provide a quick direction on acquiring the service token? So far I've tried ConfidentialClientApplication.AcquireTokenForClientAsync yet end up with an error:
AADSTS50013: Assertion failed signature validation.
I'm currently using a client secret. Thanks for any further help you can provide.
@rjhaines You can take a look at this guide from MSAL that explains how the OBO flow should be used. According to the guide, your client (web, desktop, mobile, single-page application) should call your service (API) as a user - use an auth flow that calls an API in the name of a user and not an app. AcquireTokenForClientAsync (Client Credential Flow) calls the API as an app and not a user.
You can call your service with either authorization code flow (web app) or interactice authentication (desktop and mobile). This sample by MSAL shows how to make a call from a desktop app to a service via interactive auth, then call Graph from the service via on behalf of flow.