question

TorbenJ-4048 avatar image
2 Votes"
TorbenJ-4048 asked miwan2-msft commented

API access without scopes

Hello there,

I got two projects, an ASP.NET Core Web Application (non-MVC) and an ASP.NET Core Web API.
Currently I'm trying to integrate B2C into them but I always get stuck with scopes.

The Web API contains an authorized endpoint that I want to call from the Web App.
For this I'm trying to get an access token by using the ITokenAcquisition.GetAccessTokenForUserAsync method passing an empty string array for the scopes.
The goal is to get an access token that I can set in the Authorization header for the HTTP request I'm sending to my Web API.
Unfortunately the attempt to get an access token always ends up in an MsalUiRequiredException exception with reference to incremental consent docs.

What I don't really understand is how to just get an access token for "no scopes". The Web API endpoint requires no special scopes, just that the caller is an authenticated user.
Further I really don't want to bother the user with any additional consent dialogues. I only know these dialogues if some service wants access to data from foreign services like if I want access to some profile data from the user's facebook identity. But if the user just uses my web app and reads/writes data to it I really don't want to ask them if they really want to read/write data to my service as they are already using them to do this in the first place.
I can understand that I might introduce scopes in the future for non-regular user functionality like moderation/administration features but there will always be a set of functionality that should be accessible for any regular user without any additional consent. Just sign in and use them.

I really don't know if I'm missing something about B2C in general or if I'm just getting lost here after reading and trying so much stuff about it.
I hope someone can help me out on this.

azure-ad-b2cdotnet-aspnet-core-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, @TorbenJ-4048 ,[access token contains claims that you can add in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, access token will be present in the HTTP request. Th access token is denoted as access_token in the responses from Azure AD B2C.

0 Votes 0 ·

0 Answers