active-directory-aspnetcore-webapp-openidconnect-v2 | NET Core Web App which lets sign | Azure library

• To validate the token received from Azure AD B2C in Asp.Net, you will have to include ‘TokenValidationParameters’ value and define the validation of token claims received accordingly in the ‘Startup.cs’ file of the Web API. Please find the below sample code to be included in the ‘Startup.cs’ file for token validation which protects the Web API with Microsoft Identity platform: -

Microsoft.Identity.Web - The main package. Required by all apps that use Microsoft Identity Web

Microsoft recommends you use the Microsoft.Identity.Web NuGet package when developing a web API with ASP.NET Core.

It has lot of dependecies you can check the detailse from this Link

One of Dependecies is for .NetCoreApp3.1 is Microsoft.AspNetCore.Authentication.JwtBearer (>= 3.1.18)

The JwtBearer middleware, like the OpenID Connect middleware in web apps, validates the token based on the value of TokenValidationParameters. The token is decrypted as needed, the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:

Audience: The token is targeted for the web API.

Sub: It was issued for an app that's allowed to call the web API.

Issuer: It was issued by a trusted security token service (STS).

Expiry: Its lifetime is in range.

Signature: It wasn't tampered with.

for more information you can follow this MS documention.

I raised the above on the MSAL Github account and after chatting to one of the contributors, the answer is that in the registration of the Options that contains the event handler it needs to be registered as:

Turns out this was due to the configuration inheritance in my IIS.

I had a first ASP.NET Core app in the "root" of the IIS site - which of course has a web.config that looks something like this:

Try to remove app.UseCookiePolicy(); in startup class. Take a look here

Or the problem was IdentityServer was still using AddDeveloperSigningCredential

You can add a certificate in your code it will work perfectly

Refer here for more info

It's possible to create the users under specific tenant and also block permissions are also available for the unknown users who are not under your organization (you can give the 2nd part of users email id like domains @gmail.com, @yahoo.com in the azure app configuration service.

You can easily identify the users who are not under your organization domain and the allowed domains like Microsoft and Social accounts you provided under the tenants section.

To do it, hope this Microsoft documentation helps you.

Azure AD is a directory service with the goal of serving organizations and their needs for identity management in the cloud. You develop against Azure AD, you can secure your applications with it - their users in Azure AD tenants can use it.

Your application is targeted for a specific organization or multiple organizations using Azure AD (Office 365).

Azure AD B2B is just a feature of Azure AD. It allows organizations to grant access to their applications and services for users from other tenants. From your app perspective nothing changes. It is still same Azure AD app. Azure AD B2B has an API which can be used to create flows for the invitation of users from another directory but it is not changing your app design, etc.

Azure AD B2C is another service built on the same technology but not the same in functionality as Azure AD. Azure AD B2C target is to build a directory for consumer applications where users can register with e-mail ID or social providers like Google, FB, MSA, known as Federation Gateway. The goal for Azure AD B2C is to allow organizations to manage single directory of customer identities shared among all applications i.e. single sign-on.

Azure AD B2C is not targeted at organization users but consumers. March 2021 Update Microsoft has introduced a new solution which merges B2B and B2C - It is called "External Identities".

What is "External Identity": It is a mechanism to allow you, to have external users, self-registration for them and control on their process, within your Azure AD (corp) tenants.

Why it is a merge between Azure AD B2C and Azure AD - those are external users, like in B2C, they can use their own username / e-mail (not a corp. domain) and self-register, but within AAD Enterprise tenant. You can also extend authentication flows for External identities with calls to external systems similar like in AAD B2C.

Let's talk about scenario, application for schools:

• Internal users -> Azure AD, covers internal applications, employees etc. in organization. User is in Azure AD
• External users, like guest teachers from other school, partners -> Azure AD B2B, guest user in Azure AD
• • External users, but not associated with any organization, e.g parents who need an access to students grades in particular application -> External Identities, they can self-register, they exists within the context of specific app, you can call additional API to check, for example if they match the record in CRM during registration
• External users, open to the internet, e.g. art contest for pupils -> Azure AD B2C. Anyone can register, students, teachers and employees can access it through Azure AD.

Pricing update: There is pricing update which affects Azure AD B2C and External Identities. First - price is per monthly, active user (MAU). MAU means someone logged on at least once during the billing period (month).
Second - first 50k users in Azure AD B2C or external identities are Free. So first 50k users in a month, free - next are paid, so 60k active users within a month costs something like 16USD.

Simple: Azure AD - apps for organizations and their corporate users Azure AD B2C - apps for customers, like mobile apps, shopping portals etc.

For more reference on Azure AD's: Read this blog post

Here is a fix (it could be not the best, but it works well for me). MDN spec says: "The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected." That was my problem with browsers run over Chromium engine (Chrome/Opera/Edge). The default value was CookieSecurePolicy.SameAsRequest i changed it to CookieSecurePolicy.Always :

Don't fully understand the question but the:

Configuration.Bind("AzureAdB2C", options); });

is to setup a B2C authentication (as opposed to Azure AD).

There are two separate projects. The scope goes into the ToDoList project not the WebApp project

"Add a section name TodoList in the appsettings.json file and add the keys TodoListScope, TodoListBaseAddress".

I downloaded the sample code and get it works on my side, this is my Azure AD App configs:

For service Azure AD APP config:

App ID: a6b73b06-450a-4fac-a7bb-569c3644594c

Exponse an API:

For client Azure AD APP config:

App ID: d2a53db5-da38-47b7-97f1-2d27a9dd056d

Auth config:

API required permissions:

create a client secret:

Service project applications.json settings:

Client project applications.json settings:

Result: