Get Azure Webjob History - 403 Token invalid

Question

I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)

How do I need to authenticate correctly?

I retrieve the token as follows:

POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}

I get a token back, however I get a 403 error message when I try to retrieve the resource:

GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}

Client '{MyApp}' with object ID '{MyApp}' is not authorized to perform the action 'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the scope '/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}' or the scope is invalid. If access was granted recently, please update your credentials.

What am I doing wrong?

I already added the API-Permission

Answer 1

The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).

By giving this scope it enables you to access https://management.azure.com

To resolve this error, please follow below steps:

Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add

After giving these permissions try to retrieve the resource again, there won't be any error.

Answer 2

Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.

GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....