Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Azure Application Proxy access using MSAL token

See original GitHub issue

Implemented test windows application based on official manual: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application

Following code is a result:

IPublicClientApplication clientApp = PublicClientApplicationBuilder
            .Create("Native App Client Id")
            .WithRedirectUri("http://localhost")
            .WithAuthority("https://login.microsoftonline.com/"My Tenant ID"")
            .Build();

            Microsoft.Identity.Client.AuthenticationResult authResult = null;
            var accounts = await clientApp.GetAccountsAsync();
            IAccount account = accounts.FirstOrDefault();

            IEnumerable<string> scopes = new string[] { "api://"APP Proxy Uri"/user_impersonation" };

            try
            {
                authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
            }
            catch (MsalUiRequiredException ex)
            {
                authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
            }

            if (authResult != null)
            {
                HttpClient httpClient = new HttpClient();
                httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
                HttpResponseMessage response = await httpClient.GetAsync("App Proxy based URL"+ "/api/values");

Everything works fine until HTTP request with a token, it is being redirected to login.microsoft.com: https://i.stack.imgur.com/GUe7l.png

Redirect URI to login.microsoft.com: {https://login.microsoftonline.com/9966XXXXXXXXXXXXXXXXXXXXXXXX/oauth2/authorize?response_type=code&client_id=XXXXXXXXXXXX&scope=openid&nonce=983XXXXXXXXXXXXXX&redirect_uri=https:%2F%2FXXXXXXX.msappproxy.net%2F&state=AppProxyState:{“InvalidTokenRetry”:true%2C"IsMsofba":false%2C"OriginalRawUrl":“https:\%2F\%2FXXXXXXXXXXXXXXX.msappproxy.net\%2Fapi\%2Fvalues”%2C"RequestProfileId":“XXXXXXXXX”}%23EndOfStateParam%23&client-request-id=XXXXXXXX}

Any ideas what’s wrong? Browser access works just fine, also JWT token is fully valid and being passed correctly.

Issue Analytics

State:
Created 3 years ago
Comments:24 (10 by maintainers)

Top GitHub Comments

1reaction

chuckconwaycommented, Nov 5, 2021

Unfortunately, the MS ticket solved my issue. My work was a POC so I didn’t progress any further.

— Chuck On Nov 1, 2021, 4:05 AM -0700, Nasir @.***>, wrote:

@chuckconway, thank you for providing this information. I kind of have a similar situation, can you please check: MicrosoftDocs/azure-docs#83207, and see if you can be of help? Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

1reaction

chuckconwaycommented, Nov 1, 2021

I did, I opened up a ticket with Microsoft and they helped me.

I updated my answer on Stackoverflow: https://stackoverflow.com/questions/66975070/accessing-on-premise-api-through-azure-proxy-with-azure-directory-enabled

I hope that helps.

— Chuck On Nov 1, 2021, 2:53 AM -0700, Nasir @.***>, wrote:

@chuckconway, have you found any solution to this? Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.