Asp.Net Core 2.0 and Azure AD B2C for authentication on WebApp and API

3
votes

I have an existing small app that I use for test, it is in Asp.Net Core 1.1 for both the Web App and the API, the authentication is done using Azure AD B2C. I am trying to move it to .Net Core 2.0 but I can't figure how to get it working, I tried using both sample from GitHub Azure-Samples for Web App and API, but I have either an unauthorized or 500 error when trying to access the api, if you have a working example for calling a web api from a web app using 2.0 and protected by AD B2C it will be greatly appreciated.

Edit: The sample I use to test are : Web App : WebApp-OpenIDConnect-DotNet core2.0 Web Api : B2C-WebApi core2.0 , I changed the appsettings values to match my b2c directory.

For my asp.net core 1.1 test app I use the same samples as above but from the master branch, with the same value for appsettings.

Edit 2 by default, in startup.cs I have this :

        services.AddAuthentication()
            .AddJwtBearer(option => new JwtBearerOptions
            {
                Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/",
                Configuration["Authentication:AzureAd:Tenant"], Configuration["Authentication:AzureAd:Policy"]),
                Audience = Configuration["Authentication:AzureAd:ClientId"],
                Events = new JwtBearerEvents
                {
                    OnAuthenticationFailed = AuthenticationFailed
                }
            });

which gives me the following error:

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:44352/api/values/5
Microsoft.AspNetCore.Server.Kestrel:Error: Connection id "0HL89JHF4VBLM", Request id "0HL89JHF4VBLM:00000001": An unhandled exception was thrown by the application. System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.

if modified services.AddAuthentication like that

        services.AddAuthentication(sharedOption =>
        {
            sharedOption.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })

the error is now

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Failed to validate the token xxx. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__6.MoveNext()

2
asp.net-coreazure-ad-b2casp.net-core-2.0
This isn't enough information to help you. Can you add links to the samples you've leverage, the code you are using, the http requests and token payloads? - Saca
@Saca, I edited the question to add the links and more information, except the appsettings I did nor make any changes - JP Gutton
It works if App and Api are with .net core 1.1 or if App is 2.0 and Api is 1.1. It doesn't work if App and Api are 2.0 or if App is 1.1 and Api is 2.0 - JP Gutton

2 Answers

0
votes

I saw a pull request on the sample which correct this issue (Link), the services.AddAuthentication must be change to:

        services.AddAuthentication(options =>
          {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                          })
            .AddJwtBearer(jwtOptions =>
            {
            jwtOptions.Authority = $"https://login.microsoftonline.com/tfp/{Configuration["Authentication:AzureAd:Tenant"]}/{Configuration["Authentication:AzureAd:Policy"]}/v2.0/";
            jwtOptions.Audience = Configuration["Authentication:AzureAd:ClientId"];
            jwtOptions.Events = new JwtBearerEvents
                              {
                OnAuthenticationFailed = AuthenticationFailed
                                  };
            });
0
votes

I got this example working both for Core 1.1 and Core 2.0, please add the Oath Authentication as below,

services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddAzureAdB2C(options => Configuration.Bind("Authentication:AzureAdB2C", options))

You configuration options will be defined inside of the class "AzureAdB2CAuthenticationBuilderExtensions", which is found inside of the azure b2c project

Looks like your token is not being update it from the Azure, are you able to get the token from your web app? could you please verify that you are not getting null

Did you register your api scopes on your azure b2c tenant web app? "ApiScopes": "https://fabrikamb2c.onmicrosoft.com/demoapi/demo.read"

you have to set scope in your web api and allows to be read on the web app, please follow click the link in order to set it up