Ggtcf

In my Azure App Service .NET backend, I typically decorate my controllers with [authorize] so that they are protected against users who are not signed in. For uer authentication I set up an Azure Active Directory B2C (AADB2C) tenant, configured an application as well as some identity providers and everything works as expected as long as I am hosting my backend on Azure.

Now, I'd like to be able to run the backend locally so that I can easily debug the code and have it work against a local development database.

However, it does not work.

• I went to https://[myappservice].scm.azurewebsites.net/ and retrieved the WEBSITE_AUTH_SIGNING_KEY from the environment tab.


• I added the key to my backends' web.config as Signingkey under AppSettings


• I changed ValidAudience and ValidIssuer to the respective values (https://[myappservice].azurewebsites.net)


• So that I can bind the backend to an IP address or my hosts name rather than "localhost" (which would be the case with IIS Express), I configured the backend to run under IIS


• I only allowed anonymous access on my IIS Website and let it run under the DefaultAppPool which uses the integrated pipeline on the 4.0 CLR

My client code does not use MobileServiceClient but MSAL (PublicClientApplication). So the documentation about how to setup a local dev environment found here does not apply.

Because I have a RequestProvider class that creates the necessary HttpClient and adds the access token to the header, this shouldn't be a problem, because for authentication, the PublicClientApplication object uses the AADB2C tenant and the respective server flow policies for signing in and -up and for calling the backends' rest controller I can switch between the Azure hosted and the locally hosted backend.

However, while authentication keeps working like a charm and I am able to receive a working access token, the backend that is hosted locally does not accept it while the same backend code hosted on azure does.

So I started searching the net and found out about the website jwt.io. I pasted my access token into their decoder and was astonished about the result.

Some article mentioned that the values ValidIssuer and ValidAudience configured in the backends' web.config need to exactly reflect the values iss and aud contained within the access token.

The values in my access token however don't match the scheme which was part of the web.config template though (https://[myappservice].azurewebsites.net).

The iss field in my decoded token looked like this:

https://[myappservice].b2clogin.com/12345678-1234-1234-1234-123456789012/v2.0/

The aud field in my decoded token looked like this:

12345678-1234-1234-1234-123456789012

The isser value can be found in my AADb2C tenants' directory within the signin/-up policies' settings under Properties in "Token compatibility settings" as Issuer (iss) claim. Theres a combobox from which the following value is selected:

https://<domain>/12345678-1234-1234-1234-123456789012/v2.0/

The aud fields' guid equals the Client ID configured in the App Service on Azure.

However, even if I take these two values and enter them into the web.config as described above, I still get an "Authorization has been denied for this request" error.

I really don't know how to get this working...

I tried to reproduce your issue and it works well if in my environment. I was referring to active-directory-b2c-dotnet-desktop as native client and active-directory-b2c-dotnet-webapp-and-webapi (host the api project on IIS, web app project is not used) as backend api.

I also encountered the same issue several times when testing, and resolved it by the following steps:

• 
  

  No special configuration is required on IIS side. You don't need to specify "Signingkey" in web.congig because when validating the token, signing key will be fetched automatically from metedata endpoint (jwks_uri field):

  
  
  

  
  

  https://TenantName.b2clogin.com/TenantName.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=SignInPolicyName

  
  

  
  



• In Azure Portal, make sure you have granted native client the access to api app.
  

For other basic configuration, refer to the instruction of samples above.

I also suggest you decode the access token and confirm the primary claims are correct:

1. "iss" should be same as the AAD instance in API app


2. "aud" should be client id


3. "sub" or "oid" should be the object id of the logged in user.


4. "tfp" should be the sign in policy name


5. "scp" should be published scope of the API app

For other claims, please refer to Azure AD B2C: Token reference

Note, the official samples above are still using login.microsoftonline.com as authority endpoint, intsead of b2clogin.com. To use b2clogin, just update the endpoint accordingly.

The below is core code snippet and settings in my working sample:

Native client

public partial class App : Application

 private static string TenantName = "<TenantName>";
 private static string Tenant = "<TenantName>.onmicrosoft.com";
 private static string ClientId = "<ClientID>";
 public static string PolicySignUpSignIn = "B2C_1_signupsignin1";
 public static string PolicyEditProfile = "b2c_1_edit";
 public static string PolicyResetPassword = "b2c_1_reset";

 public static string[] ApiScopes = "https://<TenantName>.onmicrosoft.com/demoapi/demo.read" ;
 public static string ApiEndpoint = "http://<IISServerAddress>/taskservice/api/tasks";

 private static string BaseAuthority = "https://login.microsoftonline.com/tfp/tenant/policy/oauth2/v2.0/authorize";
 private static string BaseAuthorityForb2clogin = "https://TenantName.b2clogin.com/tfp/tenant/policy";
 public static string Authority = BaseAuthorityForb2clogin.Replace("tenant", Tenant).Replace("policy", PolicySignUpSignIn).Replace("TenantName", TenantName);

 public static PublicClientApplication PublicClientApp get; = new PublicClientApplication(ClientId, Authority, TokenCacheHelper.GetUserCache());

API app config:

<add key="ida:AadInstance" value="https://tomtestb2c.b2clogin.com/0/v2.0/.well-known/openid-configuration?p=1" />
<add key="ida:Tenant" value="TenantName.onmicrosoft.com" />
<add key="ida:ClientId" value="ClientId-ff8e-4ac2-a093-6c6e0f8e116c" />
<add key="ida:SignUpSignInPolicyId" value="B2C_1_signupsignin1" />
<!-- The following settings is used for requesting access tokens -->
<add key="api:ReadScope" value="read" />
<add key="api:WriteScope" value="write" />

Auth code:

public partial class Startup

 // These values are pulled from web.config
 public static string AadInstance = ConfigurationManager.AppSettings["ida:AadInstance"];
 public static string Tenant = ConfigurationManager.AppSettings["ida:Tenant"];
 public static string ClientId = ConfigurationManager.AppSettings["ida:ClientId"];
 public static string SignUpSignInPolicy = ConfigurationManager.AppSettings["ida:SignUpSignInPolicyId"];
 public static string DefaultPolicy = SignUpSignInPolicy;

 /*
 * Configure the authorization OWIN middleware 
 */
 public void ConfigureAuth(IAppBuilder app)
 
 TokenValidationParameters tvps = new TokenValidationParameters
 
 // Accept only those tokens where the audience of the token is equal to the client ID of this app
 ValidAudience = ClientId,
 AuthenticationType = Startup.DefaultPolicy
 ;

 app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
 
 // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
 AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format(AadInstance, Tenant, DefaultPolicy)))
 );