Azure Active Directory - Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
다음의 코드를 테스트할 때,
// MICROSOFT GRAPH – HOW TO IMPLEMENT IAUTHENTICATIONPROVIDER
// ; https://adrianszen.com/2019/06/16/microsoft-graph-how-to-implement-iauthenticationprovider/
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
var clientApplication = ConfidentialClientApplicationBuilder.Create(this.clientId)
.WithClientSecret(this.clientSecret)
.WithTenantId(this.tenantId)
.Build();
// Client credential flows - Client credential flows in MSAL.NET
// https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows
var result = await clientApplication.AcquireTokenForClient(this.appScopes).ExecuteAsync();
if (request.Headers.Contains("Authorization") == false)
{
request.Headers.Add("Authorization", result.CreateAuthorizationHeader());
}
}
this.appScope을 "new string [] {}"로 주면 이렇게 오류가 발생합니다.
Microsoft.Identity.Client.MsalClientException
HResult=0x80131500
Message=At least one scope needs to be requested for this authentication flow.
Source=Microsoft.Identity.Client
StackTrace:
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.<ExecuteAsync>d__2.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/ExceptionServices/ExceptionDispatchInfo.cs:line 56
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 173
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 150
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult() in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 551
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__12.MoveNext()
This exception was originally thrown at this call stack:
[External Code]
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() in ExceptionDispatchInfo.cs
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task) in TaskAwaiter.cs
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(System.Threading.Tasks.Task) in TaskAwaiter.cs
System.Runtime.CompilerServices.ConfiguredTaskAwaitable<TResult>.ConfiguredTaskAwaiter.GetResult() in TaskAwaiter.cs
[External Code]
혹은 "new string [] { "User.read" }"와 같은 값을 넘기면 이렇게 오류가 발생합니다.
Microsoft.Identity.Client.MsalServiceException
HResult=0x80131500
Message=AADSTS1002012: The provided value for scope User.Read is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
Trace ID: ...[생략]...
Correlation ID: ...[생략]...
Timestamp: ...[생략]...
Source=Microsoft.Identity.Client
StackTrace:
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__11`1.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/ExceptionServices/ExceptionDispatchInfo.cs:line 56
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 173
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 150
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult() in /_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/TaskAwaiter.cs:line 551
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()
This exception was originally thrown at this call stack:
[External Code]
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() in ExceptionDispatchInfo.cs
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task) in TaskAwaiter.cs
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(System.Threading.Tasks.Task) in TaskAwaiter.cs
System.Runtime.CompilerServices.ConfiguredTaskAwaitable<TResult>.ConfiguredTaskAwaiter.GetResult() in TaskAwaiter.cs
[External Code]
"./default"로 끝나는 식별자를 넣어야 한다고 나오는데, 다행히 메시지에 "application ID URI" 값이라고 알려주고 있습니다. 이 값은 Azure Active Directory에 등록한 "App"의 client_id 값이 붙어 다음과 같은 형식을 띄는데요,
[예를 들어, app의 client_id 값이 "30dabf24-4603-4dbe-bf29-e09a89c9be72"인 경우]
api://30dabf24-4603-4dbe-bf29-e09a89c9be72
하지만 (App의 client_id 값은 설정 화면에서 구할 수 있기 때문에) 그냥 저대로 구성한다고 해서 되는 것은 아닙니다. 이에 대해서는 지난 글에서 다뤘는데요,
Azure Active Directory - The resource principal named api://...[client_id]... was not found in the tenant
; https://www.sysnet.pe.kr/2/0/12737
따라서, 명시적으로 "Expose an API"의 "Application ID URI" 우측에 있는 "Set" 버튼을 눌러 활성화시켜야 합니다. 이후 scope의 인자 값을 다음과 같이 구성해서 전달하면 됩니다.
var scopes = new string[] { "api://30dabf24-4603-4dbe-bf29-e09a89c9be72/.default" };
[이 글에 대해서 여러분들과 의견을 공유하고 싶습니다. 틀리거나 미흡한 부분 또는 의문 사항이 있으시면 언제든 댓글 남겨주십시오.]