AWS ALB Azure AD "api://" Custom Scope

Question

We are using AWS ALB -> Fargate Frontand -> Fargate Backend service to host applications. Azure AD with scope "openid" is attached to ALB for SSO and it works perfectly. But there is a requirement to use a custom Azure AD scope for authorization like "api://{app_id}/{scope_name}" and this approach fails on ALB getting 401 "not authorized". In Azure logs authorization is successful. Any help on this topic?

Answer

There are a few things that need to be configured to get a custom scope working with Azure AD authentication on an Application Load Balancer (ALB):

1. The custom scope needs to be defined and exposed in the Azure AD app registration. Under Expose an API, define the custom scopes you want to use.

2. The ALB OAuth scope configuration should include both "openid" and your custom scope. For example:

```
--scopes openid api://xxxxxx/user.read
```

3. The Azure AD token endpoint authorization request must include the custom scope along with "openid". For example:

```
/authorize?scope=openid api://xxxxxx/user.read
```

4. The backend application must validate the access token and check for the custom scope being present.

So in summary:

- Define custom scope in Azure AD app registration
- Include custom scope in ALB oauth configuration 
- Request custom scope when getting access token
- Validate custom scope in backend

This should allow the end to end authorization flow using a custom scope with Azure AD and ALB. Let me know if you have any other questions!

AWS ALB Azure AD "api://" Custom Scope

Relevant content