Clarify and enhance B2C client side + web API set-up documentation #131
Comments
|
@plettb thanks for the feedback. Does this documentation help get you started? It walks you through how to set up your own b2c tenant. |
No, sadly, it doesn't. I'm having no trouble setting up the B2C tenant, and it mostly works, but there is clearly somethings subtly different. For example when I use my own tenant and run on I think it's likely screenshots of some of the important screens (e.g. the app registration's "Authentication" page might show the minor difference that I can't seem to find. |
|
@plettb i see. so it's just with getting the sample working with your specific b2c tenant. Thanks for clarifying that. |
Yes, the only thing I'm changing is "B2CConstants". That way, in theory, if I've set up my B2C tenant, together with the app registrations, etc., correctly mine should run identically. (Well, when trying to get the API call working, I'm also having to change the endpoint URL in "App.xaml.cs". That endpoint should be moved into "B2CConstants", in my opinion, but that's very minor. If/when I get this working, I'll gladly create a pull request for that.) |
|
@plettb Yes, a PR to fix that would be great. thanks! For Android, in the this should work now for Android. |
The problem is that I'd find it difficult to fix only that issue. If/when I get time I'll do that, but also address one of the other issues in this branch: attempt to implement MVVM.
In the infamous words of Homer Simpson... D'oh!!! Well, I was sure it was something simple, and at least on that score I was right. Still... that feels like a rookie mistake on my part. Thanks a LOT, @jennyf19!!! On an unrelated note, but I don't think I should raise this as an "issue", per se... Any idea why debugging the UWP app doesn't work properly for me? This works for the Android version, but with the UWP version I can debug the code in the UWP project, but it won't jump to the code in the core project. |
|
@plettb glad you got it sorted out! thanks for the quick reply. @bgavrilMS can you assist on the debugging in UWP issue @plettb mentions above? |
|
@plettb also, take your time on the PR(s), we appreciate any outside contribution. |
|
Apparently I wasn't quite as close as I thought. Whereas the authentication against my own B2C tenant appears to be working, it's not actually providing an access token that can be used for subsequent calls. Once again I'm curious how "fabrikamb2c" is different from my configuration. Why does it return a token and mine doesn't?!? |
|
@plettb In the sample, we have a mobile client, which is calling the node js web api (protected resource). Because we follow the OAuth2.0 protocol, which is to gain access to protected resources through scoped access tokens, the node js web api exposes some scopes: Then with the mobile client, in the portal, we've given it permission to the node js web api by configuring the API permissions: Then in the code, you set the API endpoint: So if you're not getting an Access Token back, it usually because the web api is not registered correctly, or it's not exposing scopes, or the mobile client is sending the wrong value for the scopes, so the authorization server will not issue a token. Sorry for the long answer, but hopefully that helps. |
|
@jennyf19 Thank-you SO MUCH!!! It was, indeed, a "scope" thing, and I was able to get it working! I find this a bit strange, but it didn't prevent me from getting it working. In the "fabrikamb2c" configuration page you show above, notice this: Now my intentions are to document all of this. What I'm not sure about is whether this issue should be closed now, or only after I provide a document from the wiki. Thoughts? Thanks again!!! |
|
@plettb I'm glad it's working! yay! We have this in the ReadMe, but sounds like it's either 1) no clear or 2) not updated, or both. :) @mmacy do we have a doc which clearly shows how to connect a B2C tenant's client app + protected resource (web API), in the Azure AD B2C portal? Maybe @plettb and I can pull from that doc to make things in the ReadMe clearer. Thx. @jmprieur helped me find this for Admins only issue...looks like in AAD they have a radio button to change this, but in B2C, you'll have to go to the manifest and edit the "oauth2Permissions": [
{
"adminConsentDescription": "read permissions",
"adminConsentDisplayName": "read permissions",
"id": "f6eefa1d-.....2743eb",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "read permissions",
"userConsentDisplayName": "read permissions",
"value": "demo.read"
}, |
jennyf19
changed the title
|
I agree that it would be very beneficial to have access to all relevant Fabrikamb2c config information. I have my own B2C tenant, etc., I can log in via my Xam app, etc. but I can't seem to get the AccessToken returned upon login. |
I don't know if this will help you, but when I was not getting an AccessToken returned, it turned out to be due to the scopes. To be honest I'm not exactly sure what the problem was, but I went through all the steps to create a NEW scope, used it in my app, and it began working. Hope that helps! |
|
@lorne-olo did you see what I wrote above regarding the access token? |
|
@jennyf19 Yes, thanks. Your comments have helped. There are just so many moving pieces--and every person's situation is a little different. I now obtain the access token, but when I call an endpoint of my web app, the response is HTML indicating I can't be logged in. (I'm actually just trying to access API endpoints in a web app that are simply secured by an 'Authorize' attribute.) |
|
Here's what might seem like a dumb question, but what constitutes an 'application' in the context of registering one with Azure AD B2C? I ask this because within the 'Authentication' blade of a registered app, I can add 'Platforms'. So, is my web application and my companion mobile app considered the same application, but with two platforms? Or are they two separate applications? Separately, how do I enable the Web App/Web API setting for an application without using the "Applications (legacy)" blade? |
|
Hi Iorne, please take a look at this documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-web-api-application?tabs=app-reg-ga. We recommend you create one app for your web API and one app for your clients (android, iOS, etc.). For the web API, you set up scopes. For the client app(s), you set up permissions on those scopes. To read more about permissions and scopes, see here. |
I recommend performing these in order, at least the app registration/configuration sections in each:
The basic flow is:
A diagram might look a bit like this:
|
Not a dumb question. An application for Azure AD B2C and for AAD is a client, so could be web app, web API, mobile, desktop, etc.. When you create an application, a unique identifier is created for that application in the authorization server (AAD B2C or AAD), which is the client id. Mobile and desktop applications are public clients, which means they cannot keep a configuration time secret, so they don't have client secrets (you might have noticed this when you create the app). When you add a platform, you're setting up different redirectUris for each of the platforms you want to support with that one application (client id). Maybe you will run on mobile, but also a web app. So you have to define the redirect uri, which is where the authorization server will return the auth code and the tokens. For desktop and mobile, we configure the redirect uri for you. You can use the ones which are preconfigured or use your own.
It's the same as before. Just create a new application and then under Expose an API, you'll add the scope value. @lorne-olo |
|
@jennyf19 Thanks for all the info. It's appreciated. Or do I need to create a completely separate Web API app? |
|
You can use both, @lorne-olo : but you need to have a different scheme name (you can bind to the same configuration section, though) |
|
I am also experiencing similar issues as above. Mine is a WebApp exposing its own API endpoints with an android front end. The Webapp gets authenticated successfully on B2C. My API scope is well defined as it gets assigned to the scp claim of the id_token on successful logon to android. The access token is also generated on the android application. However, when I attempt to access the exposed API end points decorated with [Authorize] or [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] with the access token generated on android as a bearer token it fails with 401 unauthorized error. I am following the Fabrikamb2c sample that works well against the Microsoft Graph. I think if I can get a peak of the Fabrikamb2c startup setup of authentication and authorization it can help me figure out the issue which is likely to be how the B2C authentication and bearer token schemes have been defined |
|
@onyand : for ASP.NET Core web APIs, we recommend you use Microsoft.Identity.Web |
|
@jmprieur The documentation has not helped in addressing the issue. I still have the 401 error generated for the access token (bearer token) generated on the android application even when used against postman. The code in the documentation is similar to what I have implemented derived from existing Microsoft samples. Seems like what I am missing out is on the correct combination of authentication and authorization setup in the Startup file. I was thinking the Fabrikamb2c startup file for the web app that implements the android scenario in this link would point me in the right direction since it works with Microsoft Graph https://github.com/Azure-Samples/ms-identity-android-java. The code available in this link is the android only, not the web app part |
|
@onyand which scope do you request? |
|
@jmprieur I created a scope called "read" against the Expose an API section.
"oauth2Permissions": [ |
This is an excellent example, and works exactly the way I want my application to work. However, try as I might I simply can't get my configuration to work the same way. Is there any chance there the configuration of the "fabrikamb2c" could be documented?
There is a similar request on another sample project here, but it was eventually closed, still without sufficient detail.
Any help on this would be MUCH appreciated!
Thanks!
Brad.
The text was updated successfully, but these errors were encountered: