1

I'm thoroughly mystified by the b2cScopes attribute which is used when instantiating the Microsoft Authentication Library in the B2C use case for ASP.NET Core 3.1. Here's the canonical example, where confusingly the sample code doesn't actually implement a helloapi or a demo api:

var appConfig = {
      b2cScopes: ["https://fabrikamb2c.onmicrosoft.com/helloapi/demo.read"],
      webApi: "https://fabrikamb2chello.azurewebsites.net/hello"
};

// instantiate MSAL
const myMSALObj = new Msal.UserAgentApplication(msalConfig);

But here are a bunch of other different formats for b2cScopes, such as:

Ex 1. source

b2cScopes: ["profile","email","openid", "https://lduceademo.onmicrosoft.com/big/read"]

Ex 2. source

b2cScopes: ["openid"]

Ex 3. source

b2cScopes: ['https://zzzzz.onmicrosoft.com/api/Hello.Read']

Ex 4. source

b2cScopes: 'https://meeblitenant.onmicrosoft.com/api/myapp_read',
'https://meeblitenant.onmicrosoft.com/api/myapp_write']

Ex 5. source

b2cScopes: ['https://my_app_name.onmicrosoft.com/my_api_name/user_impersonation email openid profile']

So I have the following questions:

  1. Do the .read and .write suffixes somehow map to HTTP GET, PUT, POST permissions? If not, what do these suffixes do?
  2. Is this value case insensitive (see Ex 3)?
  3. Some of the examples seem to imply a relative URL, and others imply a complete URL. Are both correct?
  4. Is Ex 5 just totally broken since it's using spaces to separate scopes instead of using a string array?
  5. If I've implemented a webapi at api/user that has both HTTP GET, PUT, and POST verbs, what should the b2cScope be?
Jay Borseth
  • 1,894
  • 20
  • 29

2 Answers2

1

Do the .read and .write suffixes somehow map to HTTP GET, PUT, POST permissions? If not, what do these suffixes do?

No. You can define scopes for an API in the AAD B2C control panel. They can be called whatever you want, and they can mean anything you want in your API.

Is this value case insensitive (see Ex 3)?

I'm 90% sure that they are case insensitive.

Some of the examples seem to imply a relative URL, and others imply a complete URL. Are both correct?

They are not URLs actually. They are identifiers for scopes. Some scopes like openid and profile are standard OpenID Connect scopes that specify information desired in the Id token. For calling APIs, you need a complete URI identifying the scope your app needs.

Is Ex 5 just totally broken since it's using spaces to separate scopes instead of using a string array?

Well it's certainly using the API wrong. But that is actually how they are sent in the URL so it could work.

If I've implemented a webapi at api/user that has both HTTP GET, PUT, and POST verbs, what should the b2cScope be?

You need to define them in the B2C control panel. Then use those in your app. You'll need to add authorization checks in your API as well that check for these scopes.

juunas
  • 54,244
  • 13
  • 113
  • 149
0

OpenId and offline_access are scopes part of OpenId spec.

https://learn.microsoft.com/en-gb/azure/active-directory-b2c/openid-connect#send-authentication-requests

The others are custom scopes which map to actions at your api.

https://learn.microsoft.com/en-gb/azure/active-directory-b2c/access-tokens

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20