Blazor WebAssembly Azure B2C Error: AADB2C90205 (insufficient permissions)

0
votes

I created a sample Blazor WebAssembly app to be secured with Azure B2C using the steps outlined in the Microsoft docs article: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-3.1.

The application works except for the authentication. The B2C modal loads to sign-in, but then the UI displays the following error message.

There was an error trying to log you in: 'AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.

Here are some redacted screenshots for my B2C configuration (I'm sure the code is correct as it's the default code generated from the dotnet new CLI command).

Any ideas on the configuration error?

App Registrations App Registrations

API - Overview API - Overview

API - Authentication API - Authentication

API - Expose an API API - Expose an API

Client - Overview Client - Overview

Client - Authentication Client - Authentication

Client - API Permissions Client - API Permissions

Sign-up/in User Flow - Overview Sign-up/in User Flow - Overview

Sign-up/in User Flow - User Attributes Sign-up/in User Flow - User Attributes

Sign-up/in User Flow - Application Claims Sign-up/in User Flow - Application Claims

2
azureblazorazure-ad-b2cblazor-webassembly
Can you please share us the B2c url?Also, please mask the clientid/secrets with stars(**) as it is public channelHari Krishna
Thanks @HariKrishna--MSFTIdentity, I've updated the imagesTheMagnificent11

2 Answers

0
votes

So it turns out the issue was actually in the code.

I missed a note section in the docs that said I had to manually edit the client app code if API ID URI was untrusted publisher domain similar to https://contoso.onmicrosoft.com/41451fa7-82d9-4673-8fa5-69eff5a761fd, which it was in my case.

Removing the extra https://{TENANT DOMAIN}/ in the Program.cs of the client app fixed things (note the difference between the commented-out line and the line that comes after).

namespace BlazorClient
{
    public class Program
    {
        public static async Task Main(string[] args)
        {
            ...

            builder.Services.AddMsalAuthentication(options =>
            {
                builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
                //options.ProviderOptions.DefaultAccessTokenScopes.Add("https://***.onmicrosoft.com/https://***.onmicrosoft.com/*******/blazor.client");
                options.ProviderOptions.DefaultAccessTokenScopes.Add("https://***.onmicrosoft.com/*******/blazor.client");
            });

            await builder.Build().RunAsync();
        }
    }
}
-1
votes

I can reproduce your problem. The reason for the error is that you have used unauthorized resources. You need to change the scope to your own expose api. Go to Azure AD B2C>App registrations>your client application>API permissions.

enter image description here

enter image description here