Example using AAD Bearer tokens

[awaldow]

I am trying to get OData authorization working with the new Microsoft.Identity.Web library and when I set up the ODataAuthorization I get:

System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).

I am calling this repos code as follows:

services.AddODataAuthorization(options =>
            {
                options.ConfigureAuthentication().AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
            });

I figured since the README shows

options.ConfigureAuthentication().AddJWTAuthenticationScheme();

I could just do what I'm doing above without issue but it seems like either it's not hooked up or I'm missing some config piece for leveraging the new identity lib; maybe I'm not supposed to use it all? I tried the AddJWT scheme line as well with the same result.

I think having an example using Azure AD would be helpful, or at least some documentation somewhere regarding the Microsoft.Identity.Web lib.

[awaldow]

And to provide a little more context, it seems like when I just have the ScopesFinder return an explicit scope (i.e. not looking in the context for the values) it works fine, though I understand that is essentially short circuiting some of the internal validation logic. It seems like no matter how I configure the options stuff, the user context passed to my ScopesFinder is missing my claims and that's where my issue comes in. In light of that, what would you suggest for me to be able to pull scopes/roles/whatever from the AD token for returning from the scopes finder? Or is this a case where I should just use the RequiredScopes attribute from the new Identity library and just forgo the ODataAuthorization stuff?