Forbidden with azureAdApp authorization for self hosted gateway

[dodo2001fr]

Hi,

I have setup my Self-hosted Gateway for using Entra Id authentication like describe here : https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-enable-azure-ad
I create the 2 roles, I assign the role to API management and the application like describe.

I start a docker with the following conf : config.service.endpoint=my_custom_domain
config.service.auth=azureAdApp
config.service.auth.azureAd.authority=https://login.microsoftonline.com
config.service.auth.azureAd.tenantId=my_tenant_id
config.service.auth.azureAd.clientId=my_client_id
config.service.auth.azureAd.clientSecret=my_client_secret
gateway.name=SEFL-GW
runtime.deployment.artifact.source=Azure Portal
runtime.deployment.mechanism=Docker

The docker version is v2 so the last v2 version (2.5.0)

The self hosted gateway get his token from Entra Id, but after when it calls the configuration service it receives a 403 response : forbidden

[Info] 2024-02-7T08:55:21.732 [LoadingConfigurationSnapshot], message: uri: https://my_custom_domain//gateways/SELF-GW/snapshot, request-id: df221d83-6d3f-4522-85b1-b22d7291df74, source: ConfigurationApiClient [Warn] 2024-02-7T08:55:21.976 [ConfigurationNotAvailable], exception: Gateway.Configuration.Client.ApiException: StatusCode: Forbidden Content-Type: application/json at Gateway.Configuration.Client.ConfigurationApiClient.TryThrowApiErrorAsync(HttpResponseMessage response) in D:\a\1\s\Proxy\Gateway.Configuration.Client\ConfigurationApiClient.cs:line 238 at Gateway.Configuration.Client.ConfigurationApiClient.SendRequestToApiAsync(HttpRequestMessage req, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Configuration.Client\ConfigurationApiClient.cs:line 192 at Gateway.Configuration.Client.ConfigurationApiClient.GetSnapshotAsync(CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Configuration.Client\ConfigurationApiClient.cs:line 101 at Gateway.Configuration.Client.ConfigurationApiV2Provider.GetAsync(CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Configuration.Client\ConfigurationApiV2Provider.cs:line 49 at Gateway.Host.AspNetCore.ExternalConfiguration.BackwardsCompatibility.ConfigurationProviderWithBackwardsCompatibility.GetFromV2ConfigurationApi(CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.App.SelfHosted\ExternalConfiguration\BackwardsCompatibility\ConfigurationProviderWithBackwardsCompatibility.cs:line 152 at Gateway.Host.AspNetCore.ExternalConfiguration.BackwardsCompatibility.ConfigurationProviderWithBackwardsCompatibility.GetAsync(CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.App.SelfHosted\ExternalConfiguration\BackwardsCompatibility\ConfigurationProviderWithBackwardsCompatibility.cs:line 49 at Gateway.Host.AspNetCore.ExternalConfiguration.BackwardsCompatibility.ConfigurationProviderWithFallback.GetAsync(CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.App.SelfHosted\ExternalConfiguration\BackwardsCompatibility\ConfigurationProviderWithFallback.cs:line 43, source: ConfigurationProviderWithFallback

I check in IAM - Role Assignments in "API Management Gateway Configuration Reader Role" I see my Application and in "API Management Configuration API Access Validator Service Role" I see my api management.
I don't know what I can check more to find the issue.

Appreciate any help.

[tomkerkhove]

Hi, please open a support ticket to get help

[dhawaldhingra]

Did you get any solution for it? I'm facing the same issue.

[tomkerkhove]

@dhawaldhingra You may want to open support ticket to get help