SAFE Stack authentication with Azure AD B2C user flows (or custom policies) -- Has anyone solved this?

Question

Straightforward but open-ended question: Has anyone succeeded in wiring up a SAFE Stack application to Azure AD B2C such that guest users (in the B2C tenant) can sign-in, via defined user flow or custom policy?

Specific question that could enable me to close the loop on my approach: Any idea why an app using Microsoft.Identity.Web to handle authentication would run into this poorly documented error, and how to solve it? --

"The application with ID <<Ugly_GUID>> cannot get an ID token either because the openid scope was not provided in the request or the application is not authorized for it."

Details on my failed efforts thus far: With some modifications, I was able to follow Ryan Palmer's two-part series to force Azure AD authentication for my SAFE Stack (v3, .NET 5) app:

• https://www.compositional-it.com/news-blog/safe-authentication-with-azure-active-directory/
• https://www.compositional-it.com/news-blog/safe-stack-authentication-with-active-directory-part-2/

This results in behavior where my real Azure login grants me access to the app. But the goal is to enable a user flow (or custom policy, whatever works) such that users who are authorized in my Azure AD B2C tenant can authenticate and use the app. With settings like the following (and many attempted variations) in appsettings.json, a call to the app's URL successfully redirects to the sign-in user flow:

"AzureAD":
{
    "Instance": "https://RoundTableExcaliburDev.b2clogin.com/",
    "Domain": "RoundTableExcaliburDev.onmicrosoft.com",
    "ClientId": "26e6d007-be46-4928-b06e-04acdbfd2913",
    "CallbackPath": "/api/login-callback",
    "SignedOutCallbackPath": "/api/logout-callback",
    "SignUpSignInPolicyId": "B2C_1A_SIGNUP_SIGNIN"
}

The "b2clogin" URI (vs. login.microsoftonline.com in Ryan Palmer's original) and the SignUpSignInPolicyId successfully invoke the desired user flow, and I am able to sign in (and/or sign up) a dummy user that's saved in my Azure AD B2C resource. But when the flow redirects to my application, I get the "openid scope" error listed above.

The error occurs on both localhost and the version deployed to an Azure web app instance, and it occurs in Firefox, Chrome, and Edge.

Additional Azure AD B2C details:

• I've registered a web app with return URLs of https://<app_name>.azurewebsites.net/api/login-callback and https://localhost:8080/api/login-callback
• "Access tokens" and "ID tokens" rights have been granted in the B2C registered app's authentication section.
• The registered app has a secret (not a certificate), but I have not used that value anywhere, nor has any documentation I've yet seen indicated where it would be used.
• In the absence of authentication, the SAFE Stack app works as expected, on localhost and on Azure.

Answer 1

Well I found the magic fix-it-all button for my problem, but I don't know why it was necessary. Upon creating the app registration within Azure AD B2C (a process I repeated several times), I checked the box saying "Grant admin consent to openid and offline access permissions" per the instructions here and elsewhere. Under the "API permissions" view in the registered app, the permissions appear under "Microsoft Graph" as "offline_access" and "openid". Despite those permissions having already been granted, my problem went away when I clicked "Grant admin consent for [app name]" and confirmed the (re-)grant.

Given that my obscure error message referred to permissions on the "openid scope," and given that I did nothing else between the prior failure and the subsequent success, I have no doubt that this was the solution, but I don't understand why it was necessary.