Share via

Azure AD B2C returns 401 Unauthorized when accessing controller

Lazar N 0 Reputation points
2024-05-07T21:57:34.52+00:00

I am building a Blazor WASM app, in .NET 8, which I intend to protect using Azure Active Directory B2C.

I created an AAD B2C app registration, and exposed an API from it. Then I created another app registration to serve as a client, and gave it the permission to access the API.

I was following this tutorial. I created my .NET project using the command provided in the documentation, just plugged my values in it, and everything looks like it is set up properly.

Authentication works as expected using the default sign in/sign up flow. But, when I try accessing the WeatherForecast controller's Get method, I get the 401 Unauthorized exception. This is the browser console output:

GET https://localhost:PORT/WeatherForecast net::ERR_ABORTED 401 (Unauthorized) info: System.Net.Http.HttpClient.ProjectPath.ClientHandler[101] Received HTTP response headers after 17.9ms - 401 info: System.Net.Http.HttpClient.ProjectPath.LogicalHandler[101] End processing HTTP request after 21ms - 401 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100] Unhandled exception rendering component: Response status code does not indicate success: 401 (Unauthorized). System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized). at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() at System.Net.Http.Json.HttpClientJsonExtensions.<g__Core|12_0>d`2[[ProjectPath.WeatherForecast[], ProjectPath, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null],[System.Text.Json.JsonSerializerOptions, System.Text.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51]].MoveNext() at ProjectPath.Client.Pages.FetchData.OnInitializedAsync() in C:\Users\Folder\Project\Client\Pages\FetchData.razor:line 50 at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync() at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(Task taskToHandle, ComponentState owningComponentState)

Note that not all ProjectPaths are the same, I used it to replace every project path/name in the output.

I also decoded the Bearer token, and it looks good:

{

"oid": "SOME-GUID",

"sub": "SAME-AS-ABOVE",

"name": "My_Authenticated_User_Name",

"tfp": "CORRECT_FLOW_NAME",

"nonce": "NONCE_GUID",

"scp": "CORRECT_SCOPE_NAME",

"azp": "CLIENT_APP_CLIENT_ID",

"ver": "1.0",

"iat": 1714230019,

"aud": "MAIN_APP_CLIENT_ID",

"exp": 1714233619,

"iss": "https://whatever.b2clogin.com/TENNANT_ID/v2.0/",

"nbf": 1714230019

}

Note here that the first two values (oid and sub) are the same, I just don't recognize that particular guid. name shows a correct username from AAD Claims, tfp a correct signin/signup flow name, scp shows the correct scope name of the API permission I created. azp shows the Cliend Id of the app that is given the authorization to the API, while the aud is the Cliend Id of the app registration that exposes the API.

Not sure if ver (1.0) should be 2.0, since that's the version given in the iss, and the manifest itself.

I also granted Admin consent for the Client app's API permission, but I still can't access the API from the Client app.

I am happy to provide more information if needed. Any help would be greatly appreciated.

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,411 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,962 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 57,646 Reputation points
    2024-05-12T16:35:47.13+00:00

    They are the user object ids in azure ad. See

    https://authguidance.com/azure-ad-troubleshooting/

    0 comments