This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 50%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
A web app built in .Net Core 3.1 calling a protected custom web API built in .Net Core 3.1 too. Both web app and web api is using the one registered app in ADB2C tenant. That registered app has scope and redirect URIs. Access token and ID token is enabled too. Sign-in user flow is created and configured for local identity and MS identity. Using the default UI page for sign-in but plans to customize it later. Both web api and web app is also using azure key vault for some confidential values.
The issue is that after signing in from the Sign-in page using either local identity or MS identity, the browser is just looping continuously. Sometimes the error is something like "the resource you are looking for has been removed or changed".
Below are my configurations and codes:
Azure App Settings and appsettings.json of Web App or client
"AzureAdB2C": {
"Scopes": "user_access",
"Instance": "https://{tenant}.b2clogin.com",
"ClientId": "{the registered app client ID}",
"Domain": "{tenant}.onmicrosoft.com",
"SignedOutCallbackPath": "/{signin policy}/oauth2/v2.0/logout/",
"SignUpSignInPolicyId": "{signin policy}",
"ClientSecret": "{the registered app client secret}"
},
Web App Startup >> ConfigureServices
services.AddDistributedMemoryCache();
.....
.....
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
// Handling SameSite cookie according to https://learn.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
options.HandleSameSiteCookieCompatibility();
});
services
.AddMicrosoftIdentityWebAppAuthentication(Configuration, Constants.AzureAdB2C)
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user_access" })
//.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
services.AddAuthorization(options =>
{
var groups = new Groups(Configuration);
options.AddPolicy("IsAdmin", policy =>
policy.RequireClaim(Groups.ClaimName, groups.Admin));
options.AddPolicy("IsUser", policy =>
policy.RequireClaim(Groups.ClaimName, groups.User));
options.AddPolicy("GeneralAccess", policy =>
policy.RequireClaim(Groups.ClaimName, groups.User, groups.Admin));
options.FallbackPolicy = options.GetPolicy("GeneralAccess");
});
services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
services.AddRazorPages();
//Deployment Mode
var deploymentMode = Configuration.GetSection("DeploymentMode");
services.Configure<DeploymentMode>(deploymentMode);
//Set Session Timeout. Default is 20 minutes.
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(30);
});
//services.AddSession(options =>
//{
// options.Cookie.HttpOnly = true;
// options.Cookie.IsEssential = true;
//});
services.AddMvc().AddSessionStateTempDataProvider();
services.AddSession();
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Latest);
//Configuring appsettings section AzureAdB2C, into IOptions
services.AddOptions();
services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
Web App Controller(s)
[Authorize]
//[Authorize(Policy = "GeneralAccess")]
//[RequiredScope(RequiredScopesConfigurationKey = "AzureAdB2C:Scopes")]
public class HomeController : Controller {
...
...
}
Web App Service for token acquisition
....
HttpResponseMessage response = null;
string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(requiredScopes);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
....
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Rekell Caraan ,
Thanks for reaching out.
Could you please confirm the statement "Both web app and web api is using the one registered app in ADB2C tenant" .
I am assuming you should have two application registered in ADB2C tenant where one application(webApp) is calling another application(WebAPI). Please confirm my understanding to assist further on this.
Also, Could you share any reference document you are following for above setup.
Thanks,
Shweta
Hi Shweta,
Yes, I am using one registered app in ADB2C tenant for both web app .netcore and web api. Even though I have used pair registration apps (one for web api and another one for web app), I would like to know/try if a single registered app can suffice for both.
I have referenced a couple of documents and MSDN YouTube tutorials but below are some of it:
https://github.com/AzureAD/microsoft-identity-web/wiki
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-6.0
https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow
https://learn.microsoft.com/en-us/azure/active-directory-b2c/integrate-with-app-code-samples
Thank you for your support.
Best Regards,
Rekell
Hi @ RekellCaraan-3504,
Thanks for the update.
I have tried to replicate the issue by registering web app and web api and expose the scope of API in web app and able to call the web API successfully from web APP in .NET core.
I tried multiple combinations to reproduce the error at my end, but I am able to sign in the B2C application and calling web API successfully after providing credentials.
The error you are getting might be due to incorrect configurations in the application.
I am trying to understand the use case where web App is calling itself for webAPI. The scope of webAPI need to expose for which client applications can obtain access tokens and call webAPI from web app. In case of single registered application, webapp calling the application itself.
Are you also facing this issue when you are registering the two applications separately for both web application and web API?
The scope you are passing in configuration file does not seem to be correct. It should be redirected to API scope with its address. Below is the configuration file I am using for which i am able to call web API successfully.
{
"AzureAdB2C": {
"Instance": "https://tenant.b2clogin.com",
"ClientId": "xxxx-xxx-xx-xx-xx",
"Domain": "tenant.onmicrosoft.com",
"SignedOutCallbackPath": "/B2C_1_signupsignin//oauth2/v2.0/logout/",
"SignUpSignInPolicyId": "B2C_1_signupsignin",
"ClientSecret": "xxx"
},
"API": {
"APIScope": "https://tenant.onmicrosoft.com/my-api/access_as_user",
"APIBaseAddress": "https://localhost:44332"
},
In startup. cs
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, Constants.AzureAdB2C)
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["API:APIScope"] })
.AddInMemoryTokenCaches();
I refer https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C to call webApp from webAPI.
Note: Posting it as answer as comment has limit restriction.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 16%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
Hi Shweta,
I am still figuring out any misconfigurations on the client application using the single-registered-app.
I'll respond once we are able to fix the problem on our side or if the issue still exists.
I'll also try to verify if the same issue exists using a non single-registered-app (or the pair registered app) and I'll let you know too.
Thank you.
-Rekell
Hi Shweta,
You can close this ticket and/or mark this as resolved. The issue is more on configurations on the project. Thank you for your support and advice on this.
Regards,
Rekell
Thanks for the update. Glad you are able to resolve the issue.
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Thanks,
Shweta