6
votes

I'm having hard times trying to use Azure AD B2C to authenticate My Web API. I'll start with some background

I created mobile application which is using Azure AD B2C to authenticate users. I'm creating a WebView which display this url: enter image description here

User is asked to login to azure ad, if the login data is successfull i'm receiving a response containing the access token - this part went smooth, everything works properly.

Now i want to create backend Web Api. I created ASP NET Core Web application which allows me to choose authentication method. I choose the Azure AD authentication so the template generated all required data for me. The relevant part in the code is here: enter image description here

I updated all required config properties to match my azure settings. At this point i would expect to be able to call the API using access token i received on the mobile app. I run mobile app locally, signed in, received access token, copied it and tried to call my web api(hosted in IIS express) using postman ( with authorization header "Bearer ..." ). Unfortunately with no luck - i'm receiving 401 with following header:

Bearer error="invalid_token", error_description="The signature key was not found"

I thought token is enough to Authorize the API - i understand this is a whole point of OAuth. Am i missing something ? Should i have some additional config ? I Noticed the config is missing the sign in policy ( which seems to be required by AD B2C name so i tried adding that:

var validationParameters = new TokenValidationParameters
{
    AuthenticationType = "MY_POLICY", 
};

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
    Audience = Configuration["Authentication:AzureAd:Audience"],
    TokenValidationParameters = validationParameters
});

But this didn't work too. Will appreciate any help.

EDIT

I found following error in Visual Studio logs:

Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': '...'

1
Your authority is probably wrong. I'm not quite sure what that needs to be with B2C, but I think it would be a URL that contains your policy id as well..juunas
You got me to the right direction, thanks !MajkeloDev

1 Answers

12
votes

@juunas comment help me to find the issue. I inspected outgoing requests with fiddler and i found that with this piece of code:

Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]

The request was being send to following address:

https://login.microsoftonline.com/MYTENANTID/.well-known/openid-configuration

There are two issues with above:

  1. It's not using v2 endpoint. Proper link for B2C should always use v2 so it would look like:

https://login.microsoftonline.com/MYTENANTID/v2.0/.well-known/openid-configuration

  1. It was not adding sign in policy to the link ( even if i set it in token options )

I managed to make it work with removing "Authority" parameter and changing the configure auth function to following:

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
  MetadataAddress = string.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration?p={1}", 
      Configuration["Authentication:AzureAd:TenantId"], "MYPOLICY"),
      AuthenticationScheme = "MYPOLICY",
  Audience = Configuration["Authentication:AzureAD:ClientId"],
});