I'm using a System.Net.Http.HttpClient in a windows application to communicate with a secured Web API hosted on an Azure Website authenticated with Azure Active Directory. I set the application up following theAzureADSamples/NativeClient-DotNet application and both the Web API and native client are registered and set up in AAD.
When I call attempt to call a secured API endpoint (GET, POST, etc.) I get the expected Azure HTML log in form. My credentials are accepted and I add the AuthenticationResult's AccessToken to all future request to the API. However, whenever I make such a call I receive a 401 response. Examination of my HttpClient's headers shows I have the expected Accept header of application/json and Authorization header {Bearer ---token---}. The fact that my log in is accepted and I receive a valid AccessToken suggests to me that AAD authentication is succeeding. I know my account has permissions to the API as I can access the same secure endpoints through a web UI hosted in the same Azure Website using those credentials.
It looks to me as if the windows application itself doesn't have permissions to access the API. That application has been added to AAD and, after modifying its manifest (super lame BTW) as outlined inthis MSDN article I gave it permissions to the web API. Under Azure portal -> AAD application entry for the native windows application -> permissions to other applications: I have an entry for my web API with delegated permissions set to "Access {my API app}" (and of course the sign-on delegated permissions for my directory).
I feel like I'm missing something small in some type of configuration but I'm out of ideas where to look.
Any suggestions you might have will be appreciated.
Thanks