How can I debug an Azure application that has insufficient B2C permissions?

Question

The Environment

I have an Azure B2C tenant for managing simple username/password sign-up and sign-in, following the example found here: https://github.com/Azure-Samples/active-directory-b2c-javascript-hellojs-singlepageapp

The tenant manages the authentication for a javascript/html application on the front end, and then that front-end application communicates with a WebAPI application on the back-end for its data.

The back-end WebAPI is taken from the example found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

Both applications are registered with the tenant and require authentication in order to work.

What Works

Authentication works great when testing it directly from the Azure portal.

The successful authorize request:

Request URL:https://login.microsoftonline.com/dhzb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SiUpIn&client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&scope=openid&response_type=id_token&prompt=login
Request Method:GET

What Doesn't Work

When attempting to log in via the front-end with the back-end registered in the tenant, I get this:

Correlation ID: 4ac6f519-0949-42e0-96a7-d84d14454bbb
Timestamp: 2017-07-10 23:07:48Z
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.

And the API back-end is never reached.

The unsuccessful authorize request:

Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_cprxketk%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Findex.html%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi
Request Method:GET

What I've Tried

I have tried looking for logs, like a permissions error log, that would tell specifics about the problem, but have found none.

Question

Perhaps there is another place I need to look for logs?

What else can I do?

Authentication error messages are designed to limit the information they provide, so there has to be some way to get greater specificity about the error. What do I not know?

Some things you can include in your question to make it easier for people to help you: full error message, including error code and correlation id. https request made via the portal and https request made by your application. Screenshots of your application registrations and permissions. — Saca, Jul 11 '17 at 04:14
it is also a good idea to get started with a sample app which is fully configured from B2C samples those are hosted on git. Did you try that? And you see same failures from that app too? — Ramakrishna, Jul 11 '17 at 05:28
Thanks @Saca. I have added the full error code, https requests, and info about the B2C examples I am following. Minus the screenshots of permissions. Also, I have solved my problem! I will post an answer shortly. — David, Jul 11 '17 at 22:41

score 17 · Answer 1 · edited Jun 20 '20 at 09:12

First, this does not answer my original question, so I won't mark this as the answer. I'll let someone else give the real answer, perhaps the correlation id is significant? This answer, however, does solve my problem.

In Azure B2C, permissions are called "scopes".

This means that in order for authentication to succeed without the given permissions error, the following is needed:

(1) The back-end application has to publish a scope

(2) The front-end application has to subscribe to that scope

(3) The authorize request has to include the scope in the `scope` field.

Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_bb3gzjb8%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%2Fread%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2F%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi/read
Request Method:GET

Note

I think that the name of the scope that you publish does not matter, the only thing that matters is that at least one scope is used.

The name of the scope does matter. **For now** you only get back the scopes that you do have and if you pick a bogus scope or scope you don't have, I'll return no access token. As this features reaches GA it's likely that behavior will change resulting in an error (vs no error and no access token) — Saca, Jul 12 '17 at 03:42
@David - agreed that the answer does not answer the question BUT it's a fantastic answer and it has solved my problem. I had created scopes but had not added them into API Access. — ubienewbie, Mar 05 '18 at 16:56

score 1 · Answer 2 · answered Oct 02 '17 at 09:37

We had a similar issue with our API authentications. We added a B2C application, published the scope (user_impersonation) and added the API access on itself. Later on, we decided to add a custom domain to our Azure AD and make that the primary domain. All applications we added after that, received the same error (AADB2C90205) upon authorisation. We were able to "debug" what was happening through using the developer tools of the browser (Chrome or Firefox) and watching the "Network" tab, while loading the list of applications. One difference we noticed there, was the array of "identifierUris". The one, which was working had the default https://somestring.onmicrosoft.com/ApiName/ url, while all other applications that did not work hat our custom Uri. Our solution was, to make the default .onmicrosoft.com/ uri the primary again and just add our custom domain.

So in answer to your question: you could use the network traffic logger of your browser to analyse, what goes wrong during authentication. I hope the information in this answer might help other receiving the same error in tracking down solutions of their own.

score 1 · Answer 3 · answered Oct 02 '17 at 09:51

If you go to this github and download

 https://github.com/Azure-Samples/active-directory-b2c-advanced-policies

within it you will find a SAMPLE MVC app called JourneyRecorder

If you deploy this to Azure you can then set your policy to dev mode and record information that you can use for debugging, some people prefer the app insights one but i think this is still the most informative

 DeploymentMode="Development" 
 UserJourneyRecorderEndpoint="https://your-app-name/stream?id=<Any GUID You can think of>" >

Then upload and execute your policy and then navigate to

  https://your-app-name/trace_102.html?id=<your GUID>

It isnt a great UI but if you set it up correctly it does record your endpoints and you can use it to debug B2C journeys

score 0 · Answer 4 · answered Aug 07 '20 at 08:30

The post from @David is correct, however Applications are now marked as (Legacy) and App registrations is recommended.

It is however very similar. In your App registration click on Expose an API and add a new scope. After that click on API permissions and Add a permission. Select APIs my organization uses, your App registration name and select your newly created scope. If you need Admin consent you will need to click on Grant admin conscent for <YOUR ADB2C>. After this everything worked for me.