4,815 questions
ASP.NET Core Web API + Swagger + Azure B2C
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 35%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bernhard S
126
Reputation points
Hello experts,
since weeks (with on and off phases) I try to protect my ASP.Net project with the Azure B2C. For testing if that works I want to use Swagger. But I am too stupid to make it a success. I got all kinds of error messages but I am unable to get a valid token to test the authorization. I require code help because I am blind for my mistakes. My frustration level is already high. But let me show you my status:
My project structure
But I only use the Program.cs and the appsettings.json currently.
Used for TENANT_NAME
Used for CLIENT_ID:
Used as CLIENT_SECRET:
Used for B2C_1_AdAZURE_B2C_TENANT_NAME:
The SCOPE I tried before:
But this caused: "Response status code does not indicate success: 400 (Bad Request)". So I switched it to "https://TENANT_NAME.onmicrosoft.com/CLIENT_ID/.default".
Settings of AUTHENTICATION:
My appsettings.json:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"ConnectionStrings": {
"AzureTableStorage": ""
},
"AzureAdB2C": {
"Instance": "AZURE_B2C_TENANT_NAME.b2clogin.com",
"Domain": "AZURE_B2C_TENANT_NAME.onmicrosoft.com",
"ClientId": "CLIENT_ID",
"ClientSecret": "CLIENT_SECRET",
"Tenant": "AZURE_B2C_TENANT_NAME",
"SignUpSignInPolicyId": "B2C_1_AdAZURE_B2C_TENANT_NAME",
"Scope": "https://AZURE_B2C_TENANT_NAME.onmicrosoft.com/CLIENT_ID/.default", "AuthorizationUrl": "https://AZURE_B2C_TENANT_NAME.b2clogin.com/AZURE_B2C_TENANT_NAME.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_AdAZURE_B2C_TENANT_NAME",
"TokenUrl": "https://AZURE_B2C_TENANT_NAME.b2clogin.com/AZURE_B2C_TENANT_NAME.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_AdAZURE_B2C_TENANT_NAME",
"RedirectUri": "https://localhost:7169/swagger/oauth2-redirect.html"
},
"Cors": {
"AllowedOrigins": [ "https://localhost:7169" ]
}
}
The Program.cs:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
using Microsoft.OpenApi.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
using Swashbuckle.AspNetCore.Annotations;
var builder = WebApplication.CreateBuilder(args);
string tenantName = builder.Configuration["AzureAdB2C:Tenant"];
string instance = builder.Configuration["AzureAdB2C:Instance"];
string domain = builder.Configuration["AzureAdB2C:Domain"];
string clientId = builder.Configuration["AzureAdB2C:ClientId"];
string clientSecret = builder.Configuration["AzureAdB2C:ClientSecret"];
string authority = $"https://{instance}/tfp/{domain}/{builder.Configuration["AzureAdB2C:SignUpSignInPolicyId"]}/v2.0/";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options =>
{
options.Authority = authority;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = $"https://{instance}/{domain}/v2.0/",
ValidateAudience = true,
ValidAudience = clientId,
ValidateLifetime = true
};
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
Console.WriteLine($"Authentication failed: {context.Exception}");
return Task.CompletedTask;
}
};
}, options => { builder.Configuration.Bind("AzureAdB2C", options); });
builder.Services.AddAuthorization();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.Http,
Scheme = "bearer",
BearerFormat = "JWT",
In = ParameterLocation.Header,
Name = "Authorization",
Description = "JWT Authorization header using the Bearer scheme."
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
},
Array.Empty<string>()
}
});
});
builder.Services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
var app = builder.Build();
async Task<string> GetAccessTokenAsync()
{
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithAuthority(authority)
.WithClientSecret(clientSecret)
.Build();
try
{
var result = await app.AcquireTokenForClient(new[] { builder.Configuration["AzureAdB2C:Scope"] }).ExecuteAsync();
return result.AccessToken;
}
catch (MsalServiceException ex)
{
Console.WriteLine($"MSAL Service Exception: {ex.Message}");
return null;
}
catch (Exception ex)
{
Console.WriteLine($"Unexpected error: {ex.Message}");
return null;
}
}
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "v1");
c.OAuthClientId(clientId);
c.OAuthAppName(tenantName);
c.OAuthUsePkce();
c.OAuthScopes(builder.Configuration["AzureAdB2C:Scope"]);
c.RoutePrefix = string.Empty;
});
}
app.UseCors();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/", () => "Hello World!")
.WithName("GetHelloWorld")
.WithMetadata(new SwaggerOperationAttribute("Get Hello World", "Returns a simple hello world message"));
app.MapGet("/test", [Authorize] () => "Authorization successful!")
.WithName("GetTest")
.WithMetadata(new SwaggerOperationAttribute("Test Endpoint", "Returns a success message if authorized"));
app.MapGet("/testtoken", async (HttpContext httpContext) =>
{
var token = await GetAccessTokenAsync();
if (token == null)
{
return Results.Problem("Failed to acquire token");
}
using var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = await client.GetAsync("https://localhost:7169/test"); // Replace with your actual URL
if (response.IsSuccessStatusCode)
{
return Results.Ok("Token acquisition and API call successful");
}
return Results.Problem($"API call failed: {response.StatusCode}");
})
.WithName("GetTestToken")
.WithMetadata(new SwaggerOperationAttribute("Test Token Acquisition", "Acquires a token and calls the test endpoint"));
app.MapGet("/claims", (HttpContext httpContext) =>
{
return Results.Ok(httpContext.User.Claims.Select(c => new { c.Type, c.Value }));
})
.WithName("GetClaims")
.WithMetadata(new SwaggerOperationAttribute("Claims Endpoint", "Returns the claims of the authenticated user"));
app.Run();
FAILS/RESULTS:
1.) Try
Create a Test Method to get a token
Copy the token
Authenticate in Swagger
The dialog closes. Testing "/test":
Server response
Code Details
401
Undocumented
Error: response status is 401
Response headers
content-length: 0
date: Sat,19 Oct 2024 09:30:09 GMT
server: Kestrel
www-authenticate: Bearer error="invalid_token"
- Try
{
"type": "https://tools.ietf.org/html/rfc9110#section-15.6.1",
"title": "An error occurred while processing your request.",
"status": 500,
"detail": "API call failed: Unauthorized"
}
Any ideas?
My code is a mess and I don't need to keep it. All I want to achive is to make a authorized GET request as a test to verify that my Api endpoint is secured by the Bearer token.
(I have anonymized confidential information. If I forget something, please let me know.)
Developer technologies | ASP.NET | ASP.NET Core
Developer technologies | ASP.NET | ASP.NET API
447 questions
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,080 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-10-24T05:26:26.2233333+00:00 Hi @Bernhard,
Try to add
Microsoft.AspNetCore.AuthenticationandMicrosoft.AspNetCore.Authorizationlike below and share more details with us.
{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Warning" // Add these two lines for check the detaied logs "Microsoft.AspNetCore.Authentication": "Information", "Microsoft.AspNetCore.Authorization": "Information", } }, ... }Best Regards
Jason
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator2024-11-01T06:05:02.9633333+00:00 @Bernhard Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
-
Bernhard S 126 Reputation points
2024-11-01T10:11:01.6566667+00:00 thanks for your help. Sorry for my late reply I got sick/busy the last days. I will try your solutions in the next days and give you a feedback and accepting the answer if it works.
thanks for your help too. I will do that. Please give me some time. I will answer to you soon (in the next few days).
-
Bernhard S 126 Reputation points
2024-11-01T11:23:59.12+00:00 @Anonymous the latest version (2.2.0) of
Microsoft.AspNetCore.Authenticationis deprecatedso I installed the version 2.1.2. I also updated the
Microsoft.AspNetCore.Authorizationto the latest version 8.0.10.I tried out the endpoint "/testtoken" again and got a token by the method
GetAccessTokenAsync:but when I test the token against the endpoint "/test" it fails:
I get not more info:
The same result when I "Authorize" first:
That is the method "/test/":
-
Bernhard S 126 Reputation points
2024-11-01T11:25:38.17+00:00 I updated
Microsoft.AspNetCore.Authenticationto 2.2.0 because it makes no sense to use the pre-version when the package is deprecated at all. -
Bernhard S 126 Reputation points
2024-11-01T11:49:00.4433333+00:00 I changed
builder.Services.AddSwaggerGento the suggested code of @Bruce (SqlWork.com) :builder.Services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "Test01", Version = "v1" }); c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme() { Name = "Authorization", Type = SecuritySchemeType.ApiKey, Scheme = "Bearer", BearerFormat = "JWT", In = ParameterLocation.Header, Description = "JWT Authorization header value: Bearer {token}" }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }, new string[] {} } }); });But got the same result.
-
Anonymous
2024-11-04T01:18:18.9933333+00:00 Hi @Bernhard,
It may be that my previous description misled you, I am suggestting that you need to add these two options under Logging in appsettings.json file, which will generate more logs related to authentication and authorization, rather than adding these two packages, as the higher version of asp.net core already has these required packages built-in.
Best Regards
Jason
-
Bernhard S 126 Reputation points
2024-11-06T14:04:54.9066667+00:00 Hi @Anonymous
sorry for my misunderstanding ...
Here is the log you wanted to see:
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: '4b REMOVED e' Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: 'Bearer'. Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.It seems like the scope is missing but I retrieved it as you can see in the (bottom left) Immediate Window:
I don't get it ...
-
Bernhard S 126 Reputation points
2024-11-06T14:10:18.4933333+00:00 I just tried another Scope:
And got the message that it has to be /.default:
-
Anonymous
2024-11-07T02:06:16.39+00:00 Hi @Bernhard,
Please try to add
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;and changeAddAuthorizationandAddAuthenticationlike below.builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(options => { options.Authority = authority; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, ValidIssuer = $"https://{instance}/{domain}/v2.0/", ValidateAudience = true, ValidAudience = clientId, ValidateLifetime = true, RoleClaimType = "roles", // Add this line ScopeClaimType = "scp" // Add this line }; options.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { Console.WriteLine($"Authentication failed: {context.Exception.Message}"); return Task.CompletedTask; }, OnTokenValidated = context => { Console.WriteLine("Token validated successfully"); return Task.CompletedTask; } }; }, options => { builder.Configuration.Bind("AzureAdB2C", options); }); JwtSecurityTokenHandler.DefaultMapInboundClaims = false; builder.Services.AddAuthorization(config => { // if there is no Roles Name, you can keep your original code, ignore below settings config.AddPolicy("Role", policy => policy.RequireClaim("roles", "YOUR_Role_Name")); });Best Regards
Jason
-
Bernhard S 126 Reputation points
2024-11-07T09:14:17.3466667+00:00 Hi @Anonymous
thank you for the code. Unfortunately I have troubles to add
ScopeClaimTypeThis are my usings:
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.Identity.Web; using Microsoft.OpenApi.Models; using Microsoft.Identity.Client; using System.Net.Http.Headers; using Swashbuckle.AspNetCore.Annotations; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims;And my packages:
What I am missing?
-
Bernhard S 126 Reputation points
2024-11-07T10:32:57.0033333+00:00 I tried a different idea thanks to the suggestion of @Anonymous and changed the
OnTokenValidatedand theAddAuthorization. Here the fullProgram.cscode:using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.Identity.Web; using Microsoft.OpenApi.Models; using Microsoft.Identity.Client; using System.Net.Http.Headers; using Swashbuckle.AspNetCore.Annotations; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; var builder = WebApplication.CreateBuilder(args); string tenantName = builder.Configuration["AzureAdB2C:Tenant"]; string instance = builder.Configuration["AzureAdB2C:Instance"]; string domain = builder.Configuration["AzureAdB2C:Domain"]; string clientId = builder.Configuration["AzureAdB2C:ClientId"]; string clientSecret = builder.Configuration["AzureAdB2C:ClientSecret"]; string scope = builder.Configuration["AzureAdB2C:Scope"]; string signUpSignInPolicyId = builder.Configuration["AzureAdB2C:SignUpSignInPolicyId"]; string authority = $"https://{instance}/tfp/{domain}/{signUpSignInPolicyId}/v2.0/"; builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(options => { //options.TokenValidationParameters.NameClaimType = "name"; //options.TokenValidationParameters.RoleClaimType = "role"; options.Authority = authority; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, ValidIssuer = $"https://{instance}/{domain}/v2.0/", ValidateAudience = true, ValidAudience = clientId, ValidateLifetime = true }; options.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { Console.WriteLine($"Authentication failed: {context.Exception}"); return Task.CompletedTask; }, OnTokenValidated = context => { var claimsIdentity = context.Principal.Identity as ClaimsIdentity; var scopeClaim = claimsIdentity.FindFirst("scp"); if (scopeClaim != null) { claimsIdentity.AddClaim(new Claim("scope", scopeClaim.Value)); Console.WriteLine("Token validated successfully"); } return Task.CompletedTask; } }; }, options => { builder.Configuration.Bind("AzureAdB2C", options); }); JwtSecurityTokenHandler.DefaultMapInboundClaims = false; builder.Services.AddAuthorization(options => { options.AddPolicy("RequireSpecificScope", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("scope", scope); }); }); builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "Test01", Version = "v1" }); c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme() { Name = "Authorization", Type = SecuritySchemeType.ApiKey, Scheme = "Bearer", BearerFormat = "JWT", In = ParameterLocation.Header, Description = "JWT Authorization header value: Bearer {token}" }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }, new string[] {} } }); }); builder.Services.AddCors(options => { options.AddDefaultPolicy(builder => { builder.AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader(); }); }); var app = builder.Build(); async Task<string> GetAccessTokenAsync() { var app = ConfidentialClientApplicationBuilder .Create(clientId) .WithAuthority(authority) .WithClientSecret(clientSecret) .Build(); try { var result = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync(); return result.AccessToken; } catch (MsalServiceException ex) { Console.WriteLine($"MSAL Service Exception: {ex.Message}"); return null; } catch (Exception ex) { Console.WriteLine($"Unexpected error: {ex.Message}"); return null; } } if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(c => { c.SwaggerEndpoint("/swagger/v1/swagger.json", "v1"); c.OAuthClientId(clientId); c.OAuthAppName(tenantName); c.OAuthUsePkce(); c.OAuthScopes(builder.Configuration["AzureAdB2C:Scope"]); c.RoutePrefix = string.Empty; }); } app.UseCors(); app.UseAuthentication(); app.UseAuthorization(); app.MapGet("/", () => "Hello World!") .WithName("GetHelloWorld") .WithMetadata(new SwaggerOperationAttribute("Get Hello World", "Returns a simple hello world message")); app.MapGet("/test", [Authorize] () => "Authorization successful!") .WithName("GetTest") .WithMetadata(new SwaggerOperationAttribute("Test Endpoint", "Returns a success message if authorized")); app.MapGet("/testtoken", async (HttpContext httpContext) => { var token = await GetAccessTokenAsync(); if (token == null) { return Results.Problem("Failed to acquire token"); } using var client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); var response = await client.GetAsync("https://localhost:7169/test"); if (response.IsSuccessStatusCode) { return Results.Ok("Token acquisition and API call successful"); } return Results.Problem($"API call failed: {response.StatusCode}"); }) .WithName("GetTestToken") .WithMetadata(new SwaggerOperationAttribute("Test Token Acquisition", "Acquires a token and calls the test endpoint")); app.MapGet("/claims", (HttpContext httpContext) => { return Results.Ok(httpContext.User.Claims.Select(c => new { c.Type, c.Value })); }) .WithName("GetClaims") .WithMetadata(new SwaggerOperationAttribute("Claims Endpoint", "Returns the claims of the authenticated user")); app.Run(); -
Bernhard S 126 Reputation points
2024-11-07T13:36:40.7866667+00:00 Maybe someone can share a working demo project which I can use to adapt, try-out and to compare with my project to find the failure?
-
Bernhard S 126 Reputation points
2024-12-11T15:10:27.68+00:00 I ask again: Has anyone a solution to this or can send me a template that actually works (where I only need to set-up the appconfig for the azure portal)?
Sign in to comment
Sign in to answer