1

I have separate UI web app from the API web app. Both registered as applications in B2C. I've enabled Azure App Service Authentication / Authorization (easy auth) on the UI web app, and configured the API web app to use JwtBearer middleware to authenticate calls to API.

This seems to work, but I have trouble getting scopes through to the API web app. I have published the scopes in the API app, and configured the UI app to have access to these scopes.

I've tried different login URL options, e.g., https://myUIapp.azurewebsites.net/.auth/login/aad?p=b2c_1a_mysigninpolicy&scope=openid+https://myb2ctenant.onmicrosoft.com/api/company.read&post_login_redirect_uri=/app

and ensured that the API apps "App ID URI" (in B2C app settings) is indeed "api", while the scope name is company.read. Still after successful authentication, when going to /.auth/me, I do not see the scope, I do see other claims just fine.

Where should I start looking into pointers on this?

UPDATE

I've determined how I end up in this situation, but it is still unclear why:

  1. User authenticates starting with URL such as: https://login.microsoftonline.com/mydevb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signin&client_id=UIAPP_GUID&nonce=defaultNonce&redirect_uri=https%3A%2F%2FUIAPP.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&scope=openid%20https%3A%2F%2Fmydevb2c.onmicrosoft.com%2Fapi%2Fcompany.write%20https%3A%2F%2Fmydevb2c.onmicrosoft.com%2Fapi%2Fcompany.read&response_type=id_token%20token&prompt=login

  2. After successful authentication, user is redirected to https://UIAPP.azurewebsites.net/.auth/login/aad/callback, as defined, BUT is immediately redirected back to authentication system with default scope set "openid+profile+email", i.e. URL such as https://login.microsoftonline.com/mydevb2c.onmicrosoft.com/oauth2/v2.0/authorize?response_type=id_token&redirect_uri=https%3A%2F%2FUIAPP.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=UIAPP_GUID&scope=openid+profile+email&response_mode=form_post&p=b2c_1a_signinsuomifi&nonce=somenonce&state=redir%3D%252Fapp

If I take the access_token from the first callback to /.auth/login/aad/callback it contains the requested scopes, but second authentication callback obviously doesn't as it requests default scope set.

Do I perhaps need to start the easy auth login process via .auth/login/aad in order for it to accept the callback as well?

UPDATE 2

Yes, need to start the process via .auth/login/aad: when using login URL such as https://myUIapp.azurewebsites.net/.auth/login/aad?p=B2C_1A_signin&redirect_uri=https%3A%2F%2FmyUIapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&scope=openid%20https%3A%2F%2Fmydevb2c.onmicrosoft.com%2Fapi%2Fcompany.write%20https%3A%2F%2Fmydevb2c.onmicrosoft.com%2Fapi%2Fcompany.read&response_type=id_token%20token&prompt=login&post_login_redirect_uri=/app removes the second authentication redirect.

The question now is, why do I only see the id_token in .auth/me and not the access_token that is clearly returned to the .auth/login/aad/callback? And ultimately: how come using the access_token as Bearer token, I still cannot query the easy auth secured API, but get error You do not have permission to view this directory or page.? I have followed steps in Azure client app accessing Azure api secured by AD.

If I switch off easy auth, and use the JwtBearer middleware in my API, it works fine.

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
Jussi Palo
  • 848
  • 9
  • 26
  • [This sample](https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/blob/master/TaskWebApp/Controllers/TasksController.cs#L39) demonstrates how to get an access token using the auth code flow. – spottedmahn Apr 09 '18 at 17:10
  • Thanks, I already get the access_token during auth process, but having hard time getting hold of it, any ideas? – Jussi Palo Apr 11 '18 at 08:46
  • seems like [eash auth](https://learn.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication) is a Azure AD thing not a Azure AD B2C thing... – spottedmahn Apr 11 '18 at 13:26
  • No, you're thinking of "easy oauth" (at least that's what the edited link https://easyauth.azurewebsites.net refers to). "easy auth" is just what the Azure App Authentication is/was referred to in some cases (https://cgillum.tech/category/easy-auth/). There are bits and pieces here and there indicating it would work with this full scenario, but nothing really concrete. – Jussi Palo Apr 11 '18 at 13:36
  • One example of these vague posts indicating it would be possible: https://stackoverflow.com/questions/43539757/with-azure-app-service-easy-auth-azure-ad-b2c-is-it-possible-to-secure-a-singl – Jussi Palo Apr 11 '18 at 13:51
  • Gotcha, did some more research, easy auth is a azure app services thing. East auth is easy oauth, same thing. See url name and YouTube video name. Seems like this is what the devs called it but didn’t become the official name of this feature. – spottedmahn Apr 12 '18 at 01:48

0 Answers0