Sign in to ASP.Net Core Web Application -> API with Individual User Accounts using Azure AD B2C ADB2C

Question

I have set up a Web Application with ASP.NET Razor Pages with -> Individual User Accounts -> Connect to an existing user store in the cloud (Azure AD B2C).

This works really well and I could both sign up and sign in to the web application.

However when I follow the guide for API I don't understand how to sign in.

The example Controller /weatherforecast simply returns a HTTP 401 when the web application is started.

Looking at the file structure I can't find any clues either but this could be similar to scaffolding I guess.

https://stackoverflow.com/a/50677133/3850405

If I comment out [Authorize] from WeatherForecastController I get a HTTP 200 so what I need is probably just a token from Azure AD B2C that is being sent to the Controller in the GET request.

I know that the B2C tenant and application work since I use the same application for the API as I did with the Web Application. It was set up using Microsofts own guide:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant

Ogglas · Accepted Answer · 2020-07-27T11:51:21.680

Update 2020-07-27:

Applications are now Legacy and App registrations should be used instead. See this guide:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#register-a-web-application

Old:

Fixed it using these guides:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens

I had some trouble where I got the error "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation. numerous times. Turned out I had not declared the correct scopes for the application.

First step is therefore to make sure you have a read scope for your Azure AD B2C application under Published scopes:

Then under API access add your application with the scope read.

Then perform a GET request with this format, simplest way to test is to use it in Chrome or any other browser:

https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&response_type=code

Make sure the redirect_uri is present as Reply URL for your application.

This should give you a result like after logging in like https://jwt.ms/?code=... or https//localhost:44376/signin-oidc?code= depending on redirect_uri. Microsoft example uses https://jwt.ms but I prefer to keep my codes on domains that I control.

Copy the value from code parameter and then perform a POST request, I use Postman.

POST <tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=<policy-name> HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=<application-ID>
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
&redirect_uri=https://jwt.ms
&client_secret=<app-key>

client_secret is from Keys:

Correct response should look like this:

Then you can copy the value for access_token and access your local API with Bearer Authorization. To see the content of your access_token you can copy the value to https://jwt.ms/

Sign in to ASP.Net Core Web Application -> API with Individual User Accounts using Azure AD B2C ADB2C

1 Answers1

Linked