active-directory-b2c-dotnet-webapp-and-webapi | combined sample for a .NET web application | Azure library
kandi X-RAY | active-directory-b2c-dotnet-webapp-and-webapi Summary
kandi X-RAY | active-directory-b2c-dotnet-webapp-and-webapi Summary
page_type: sample description: "The sample covers calling an OpenID Connect identity provider (Azure AD B2C) and acquiring a token from Azure AD B2C using MSAL." languages:.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-b2c-dotnet-webapp-and-webapi
active-directory-b2c-dotnet-webapp-and-webapi Key Features
active-directory-b2c-dotnet-webapp-and-webapi Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-b2c-dotnet-webapp-and-webapi
QUESTION
I've set up my asp.net mvc app according to this sample and if you see that line in startup.auth.cs, it says that when the user clicks on "Forgot Password" link, it should redirect to my app at which point it should catch that error in the line 101 that I've linked to and then redirect the user to the proper reset password flow.
However, when clicking forgot password, the flow is never directed back to my app, but rather I see this screen:
Where can I check as to why this happens? Is this supposed to be in my sign in policy or is there some setting in application or tenant?
...ANSWER
Answered 2021-Feb-28 at 11:49This happens if you enable development mode in your custom policy. Either remove the lines, or set it to DeploymentMode:Production.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights
QUESTION
We have two separeate dotnet core apis(API1 & API2) that are protected using azure ad b2c. Both these apis are registered on the b2c tenant and have their scopes exposed. We have a client web applicaiton that is to access the above protected apis. This web app has been registered as a applicaiton in b2c tenant and has api permissions set for the above apis with proper scopes defined.
We use MSAL.net with a signinpolicy to sign the user in to the web app. the authentication call requires scopes to mentioned. So we add API1's scope in the call. (note : one scope of a single resource can be added in a auth call shown below)
...ANSWER
Answered 2020-Nov-25 at 13:47A single access token can only contain scopes for a single audience.
You have 2 options:
- Combine both services into a single app registration and expose different scopes.
- Request multiple tokens - one per service. If your SSO policy is configured correctly in B2C, this should happen silently unbeknownst to the user.
I recommend using option 1 if you own both services (which it sounds like you do). A few tips related to this option.
- When declaring the scopes in the combined app registration, use the dot-syntax {LogicalService}.{Operation}. If you do this, the scopes will be grouped by logical service within the Azure portal.
- Make sure you are validating scopes in your service. Validating only the audience is not good enough and would allow an attacker to make lateral movements with a token bound for another service.
QUESTION
I've been following the tutorial here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi and have managed to get a web app authenticating with Azure B2C. I have also managed to get the web app to call ONE web API as instructed in the template.
My question is how do you call more than one API using this method? I may have 4-5 web API's set up as in the example and want to call all of them from a single web app. Is this possible? If so are there any examples I can take a look at?
Thanks.
...ANSWER
Answered 2020-May-01 at 01:31You should be able to get a refresh_token after the authorization is finished.
Use this refresh_token to exchange another access_token with the scope of another web application. Like this:
Then we can get an access_token for another scope:
See details from Refresh the access token.
BTW, OBO flow seems to work for you as well. It allows an application to invoke a service/web API, which in turn needs to call another service/web API.
QUESTION
I'm looking at the B2C API demos, and API documentation and I'm unable to determine the preferred method for managing authorization.
Azure AD supports assigning AD Users/Groups to apps, and also roles. Seemingly B2C doesn't support this. (I experimented by using AAD tasks against a B2C tenant. Hopefully I did it correctly)
Given that a singular B2C tenant will offer web sign in, and most likely API access as well, what is the benefit of creating more than one scope as exhibited in the TodoList:TodoListScope.
- Can I conditionally add additional scopes? Using B2C or store it in the graph/application somewhere?
- Or more abstractly, how should I perform authorization to the many different APIs (and apps) when an id_token is exchanged for an access_token?
Perhaps API Management will give me ideas on how to perform RBAC or other permissioning. Added them as a tag as well
...ANSWER
Answered 2020-Apr-24 at 16:30There is an RBAC Github sample here that requires you to use work accounts which are called "B2C Users" in the portal below.
Users created this way, can be added to groups located within Azure Active Directory (by script). Testing still in progress
QUESTION
I've followed this post in relation to this example and made the additions to the portal and code as suggested:
Portal: Web API - Expose an API - Add Scope for "offline_access" (also tried with format "demo.offline_access"); Web App added "offline_access" permission
Code: Added offline_access to Start_Auth.cs, Global.cs and both Web.config files.
I make my request for accessToken and refreshToken as per documentation with:
...ANSWER
Answered 2020-Mar-24 at 01:25https://XXX.onmicrosoft.com/api/offline_access is a permission you customized in your web api app. It's not for getting a refresh token.
You just need to use offline_access here.
QUESTION
I'm following this WebApp-WebAPI example. Is there a method to retrieve an id_token after a B2C user is authorized and the id_token is received within the body? I'm on Function app V3.
I receive the authorization response to replyURL in an azure Function app but the id_token coming in a body mixed with code and state data, and I can't seem to break it out or deserialize to json:
...ANSWER
Answered 2020-Mar-21 at 22:09The data is sent to you as form data, not JSON.
You need to use something like this:
QUESTION
I've created a simple Blazor server application linking to an Azure B2C directory for authorization.
Everything works but I need to add additional role claims to the token. Research has pointed me to this SO post which refers to adding the claims during the AuthorizationCodeReceived notification(Example here).
I understand what I need to do, but the example is using OpenIdConnectAuthentication (from Microsoft.Owin.Security.OpenIdConnect) instead of Blazor server's Microsoft.AspNetCore.Authentication.AzureADB2C.UI.
How can I still access and amend the claims in the token once it's received? Is such a thing supported in Microsoft.AspNetCore.Authentication.AzureADB2C.UI or should be switching to OpenId?
Below is the boilerplate included in a basic Blazor server application but the AzureADB2COptions are all just string config values.
ANSWER
Answered 2020-Jan-10 at 02:14You can try to override the specific schema after AddAzureADB2C , then register your events like :
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-b2c-dotnet-webapp-and-webapi
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
