ASP.NET Core Web API + Swagger + Azure B2C

Question

ASP.NET Core Web API + Swagger + Azure B2C

Bernhard S 126

Hello experts,

since weeks (with on and off phases) I try to protect my ASP.Net project with the Azure B2C. For testing if that works I want to use Swagger. But I am too stupid to make it a success. I got all kinds of error messages but I am unable to get a valid token to test the authorization. I require code help because I am blind for my mistakes. My frustration level is already high. But let me show you my status:

My project structure

User's image

But I only use the Program.cs and the appsettings.json currently.

Used for TENANT_NAME

User's image

Used for CLIENT_ID:

User's image

Used as CLIENT_SECRET:

User's image

Used for B2C_1_AdAZURE_B2C_TENANT_NAME:

User's image

The SCOPE I tried before:

User's image

But this caused: "Response status code does not indicate success: 400 (Bad Request)". So I switched it to "https://TENANT_NAME.onmicrosoft.com/CLIENT_ID/.default".

Settings of AUTHENTICATION:

User's image

My appsettings.json:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "ConnectionStrings": {
    "AzureTableStorage": ""
  },
  "AzureAdB2C": {
    "Instance": "AZURE_B2C_TENANT_NAME.b2clogin.com",
    "Domain": "AZURE_B2C_TENANT_NAME.onmicrosoft.com",
    "ClientId": "CLIENT_ID",
    "ClientSecret": "CLIENT_SECRET",
    "Tenant": "AZURE_B2C_TENANT_NAME",
    "SignUpSignInPolicyId": "B2C_1_AdAZURE_B2C_TENANT_NAME",
    "Scope": "https://AZURE_B2C_TENANT_NAME.onmicrosoft.com/CLIENT_ID/.default",     "AuthorizationUrl": "https://AZURE_B2C_TENANT_NAME.b2clogin.com/AZURE_B2C_TENANT_NAME.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_AdAZURE_B2C_TENANT_NAME",
    "TokenUrl": "https://AZURE_B2C_TENANT_NAME.b2clogin.com/AZURE_B2C_TENANT_NAME.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_AdAZURE_B2C_TENANT_NAME",
    "RedirectUri": "https://localhost:7169/swagger/oauth2-redirect.html"
  },
  "Cors": {
    "AllowedOrigins": [ "https://localhost:7169" ]
  }
}

The Program.cs:

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
using Microsoft.OpenApi.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
using Swashbuckle.AspNetCore.Annotations;
var builder = WebApplication.CreateBuilder(args);
string tenantName = builder.Configuration["AzureAdB2C:Tenant"];
string instance = builder.Configuration["AzureAdB2C:Instance"];
string domain = builder.Configuration["AzureAdB2C:Domain"];
string clientId = builder.Configuration["AzureAdB2C:ClientId"];
string clientSecret = builder.Configuration["AzureAdB2C:ClientSecret"];
string authority = $"https://{instance}/tfp/{domain}/{builder.Configuration["AzureAdB2C:SignUpSignInPolicyId"]}/v2.0/";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(options =>
    {
        options.Authority = authority;
        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = $"https://{instance}/{domain}/v2.0/",
            ValidateAudience = true,
            ValidAudience = clientId,
            ValidateLifetime = true
        };
        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Authentication failed: {context.Exception}");
                return Task.CompletedTask;
            }
        };
    }, options => { builder.Configuration.Bind("AzureAdB2C", options); });
builder.Services.AddAuthorization();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
    c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.Http,
        Scheme = "bearer",
        BearerFormat = "JWT",
        In = ParameterLocation.Header,
        Name = "Authorization",
        Description = "JWT Authorization header using the Bearer scheme."
    });
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
            },
            Array.Empty<string>()
        }
    });
});
builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(builder =>
    {
        builder.AllowAnyOrigin()
               .AllowAnyMethod()
               .AllowAnyHeader();
    });
});
var app = builder.Build();
async Task<string> GetAccessTokenAsync()
{
    var app = ConfidentialClientApplicationBuilder
        .Create(clientId)
        .WithAuthority(authority)
        .WithClientSecret(clientSecret)
        .Build();
    try
    {
        var result = await app.AcquireTokenForClient(new[] { builder.Configuration["AzureAdB2C:Scope"] }).ExecuteAsync();
        return result.AccessToken;
    }
    catch (MsalServiceException ex)
    {
        Console.WriteLine($"MSAL Service Exception: {ex.Message}");
        return null;
    }
    catch (Exception ex)
    {
        Console.WriteLine($"Unexpected error: {ex.Message}");
        return null;
    }
}
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "v1");
        c.OAuthClientId(clientId);
        c.OAuthAppName(tenantName);
        c.OAuthUsePkce();
        c.OAuthScopes(builder.Configuration["AzureAdB2C:Scope"]);
        c.RoutePrefix = string.Empty;
    });
}
app.UseCors();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/", () => "Hello World!")
   .WithName("GetHelloWorld")
   .WithMetadata(new SwaggerOperationAttribute("Get Hello World", "Returns a simple hello world message"));
app.MapGet("/test", [Authorize] () => "Authorization successful!")
   .WithName("GetTest")
   .WithMetadata(new SwaggerOperationAttribute("Test Endpoint", "Returns a success message if authorized"));
app.MapGet("/testtoken", async (HttpContext httpContext) =>
{
    var token = await GetAccessTokenAsync();
    if (token == null)
    {
        return Results.Problem("Failed to acquire token");
    }
    using var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
    var response = await client.GetAsync("https://localhost:7169/test");  // Replace with your actual URL
    if (response.IsSuccessStatusCode)
    {
        return Results.Ok("Token acquisition and API call successful");
    }
    return Results.Problem($"API call failed: {response.StatusCode}");
})
.WithName("GetTestToken")
.WithMetadata(new SwaggerOperationAttribute("Test Token Acquisition", "Acquires a token and calls the test endpoint"));
app.MapGet("/claims", (HttpContext httpContext) =>
{
    return Results.Ok(httpContext.User.Claims.Select(c => new { c.Type, c.Value }));
})
.WithName("GetClaims")
.WithMetadata(new SwaggerOperationAttribute("Claims Endpoint", "Returns the claims of the authenticated user"));
app.Run();

FAILS/RESULTS:

1.) Try

Create a Test Method to get a token

User's image

Copy the token

User's image

Authenticate in Swagger

User's image

The dialog closes. Testing "/test":

User's image

Server response
Code	Details
401
Undocumented
Error: response status is 401

Response headers
 content-length: 0 
 date: Sat,19 Oct 2024 09:30:09 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token"

Try

User's image

{
  "type": "https://tools.ietf.org/html/rfc9110#section-15.6.1",
  "title": "An error occurred while processing your request.",
  "status": 500,
  "detail": "API call failed: Unauthorized"
}

Any ideas?

My code is a mess and I don't need to keep it. All I want to achive is to make a authorized GET request as a test to verify that my Api endpoint is secured by the Bearer token.

(I have anonymized confidential information. If I forget something, please let me know.)

Anonymous

Hi @Bernhard,

Try to add Microsoft.AspNetCore.Authentication and Microsoft.AspNetCore.Authorization

like below and share more details with us.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
       // Add these two lines for check the detaied logs
      "Microsoft.AspNetCore.Authentication": "Information",
      "Microsoft.AspNetCore.Authorization": "Information",
    }
  },
  ...
}

Best Regards

Jason

Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-11-01T06:05:02.9633333+00:00

@Bernhard Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bernhard S 126 Reputation points

2024-11-01T10:11:01.6566667+00:00

@Anonymous

thanks for your help. Sorry for my late reply I got sick/busy the last days. I will try your solutions in the next days and give you a feedback and accepting the answer if it works.

@Givary-MSFT

thanks for your help too. I will do that. Please give me some time. I will answer to you soon (in the next few days).
Bernhard S 126 Reputation points

2024-11-01T11:23:59.12+00:00

@Anonymous the latest version (2.2.0) of Microsoft.AspNetCore.Authentication is deprecated

so I installed the version 2.1.2. I also updated the Microsoft.AspNetCore.Authorization to the latest version 8.0.10.

I tried out the endpoint "/testtoken" again and got a token by the method GetAccessTokenAsync:

but when I test the token against the endpoint "/test" it fails:

I get not more info:

The same result when I "Authorize" first:

That is the method "/test/":
Bernhard S 126 Reputation points

2024-11-01T11:25:38.17+00:00

I updated Microsoft.AspNetCore.Authentication to 2.2.0 because it makes no sense to use the pre-version when the package is deprecated at all.

Bernhard S 126

I changed builder.Services.AddSwaggerGen to the suggested code of @Bruce (SqlWork.com) :

builder.Services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "Test01", Version = "v1" });
    c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
    {
        Name = "Authorization",
        Type = SecuritySchemeType.ApiKey,
        Scheme = "Bearer",
        BearerFormat = "JWT",
        In = ParameterLocation.Header,
        Description = "JWT Authorization header value: Bearer {token}"
    });
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                 Reference = new OpenApiReference
                 {
                    Type = ReferenceType.SecurityScheme,
                    Id = "Bearer"
                 }
            },
            new string[] {}
         }
    });
});

But got the same result.

Anonymous

2024-11-04T01:18:18.9933333+00:00

Hi @Bernhard,

It may be that my previous description misled you, I am suggestting that you need to add these two options under Logging in appsettings.json file, which will generate more logs related to authentication and authorization, rather than adding these two packages, as the higher version of asp.net core already has these required packages built-in.

Best Regards

Jason

Bernhard S 126

Hi @Anonymous

sorry for my misunderstanding ...

Here is the log you wanted to see:

Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: '4b     REMOVED      e'
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: 'Bearer'. 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.

It seems like the scope is missing but I retrieved it as you can see in the (bottom left) Immediate Window: User's image

I don't get it ...

Bernhard S 126 Reputation points

2024-11-06T14:10:18.4933333+00:00

I just tried another Scope:

And got the message that it has to be /.default:

Anonymous

Hi @Bernhard,

Please try to add JwtSecurityTokenHandler.DefaultMapInboundClaims = false; and change AddAuthorization and AddAuthentication like below.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(options =>
    {
        options.Authority = authority;
        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = $"https://{instance}/{domain}/v2.0/",
            ValidateAudience = true,
            ValidAudience = clientId,
            ValidateLifetime = true,
            RoleClaimType = "roles", // Add this line
            ScopeClaimType = "scp"   // Add this line
        };
        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Authentication failed: {context.Exception.Message}");
                return Task.CompletedTask;
            },
            OnTokenValidated = context =>
            {
                Console.WriteLine("Token validated successfully");
                return Task.CompletedTask;
            }
        };
    }, options => { builder.Configuration.Bind("AzureAdB2C", options); });

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthorization(config =>
{
    // if there is no Roles Name, you can keep your original code, ignore below settings
    config.AddPolicy("Role", policy => 
        policy.RequireClaim("roles", "YOUR_Role_Name"));
});

Best Regards

Jason

Bernhard S 126

Hi @Anonymous

thank you for the code. Unfortunately I have troubles to add ScopeClaimType

User's image

This are my usings:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
using Microsoft.OpenApi.Models;
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
using Swashbuckle.AspNetCore.Annotations;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

And my packages: User's image

What I am missing?

Bernhard S 126

I tried a different idea thanks to the suggestion of @Anonymous and changed the OnTokenValidated and the AddAuthorization. Here the full Program.cs code:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
using Microsoft.OpenApi.Models;
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
using Swashbuckle.AspNetCore.Annotations;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

var builder = WebApplication.CreateBuilder(args);

string tenantName = builder.Configuration["AzureAdB2C:Tenant"];
string instance = builder.Configuration["AzureAdB2C:Instance"];
string domain = builder.Configuration["AzureAdB2C:Domain"];
string clientId = builder.Configuration["AzureAdB2C:ClientId"];
string clientSecret = builder.Configuration["AzureAdB2C:ClientSecret"];
string scope = builder.Configuration["AzureAdB2C:Scope"];
string signUpSignInPolicyId = builder.Configuration["AzureAdB2C:SignUpSignInPolicyId"];
string authority = $"https://{instance}/tfp/{domain}/{signUpSignInPolicyId}/v2.0/";

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(options =>
    {
        //options.TokenValidationParameters.NameClaimType = "name";
        //options.TokenValidationParameters.RoleClaimType = "role";
        options.Authority = authority;
        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = $"https://{instance}/{domain}/v2.0/",
            ValidateAudience = true,
            ValidAudience = clientId,
            ValidateLifetime = true
        };
        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Authentication failed: {context.Exception}");
                return Task.CompletedTask;
            },
            OnTokenValidated = context =>
            {
                var claimsIdentity = context.Principal.Identity as ClaimsIdentity;
                var scopeClaim = claimsIdentity.FindFirst("scp");
                if (scopeClaim != null)
                {
                    claimsIdentity.AddClaim(new Claim("scope", scopeClaim.Value));
                    Console.WriteLine("Token validated successfully");
                }
                return Task.CompletedTask;
            }
        };
    }, options => { builder.Configuration.Bind("AzureAdB2C", options); });
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("RequireSpecificScope", policy =>
    {
        policy.RequireAuthenticatedUser();
        policy.RequireClaim("scope", scope);
    });
});

builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "Test01", Version = "v1" });
    c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
    {
        Name = "Authorization",
        Type = SecuritySchemeType.ApiKey,
        Scheme = "Bearer",
        BearerFormat = "JWT",
        In = ParameterLocation.Header,
        Description = "JWT Authorization header value: Bearer {token}"
    });
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                 Reference = new OpenApiReference
                 {
                    Type = ReferenceType.SecurityScheme,
                    Id = "Bearer"
                 }
            },
            new string[] {}
         }
    });
});

builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(builder =>
    {
        builder.AllowAnyOrigin()
               .AllowAnyMethod()
               .AllowAnyHeader();
    });
});

var app = builder.Build();

async Task<string> GetAccessTokenAsync()
{
    var app = ConfidentialClientApplicationBuilder
        .Create(clientId)
        .WithAuthority(authority)
        .WithClientSecret(clientSecret)
        .Build();

    try
    {
        var result = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync();
        return result.AccessToken;
    }
    catch (MsalServiceException ex)
    {
        Console.WriteLine($"MSAL Service Exception: {ex.Message}");
        return null;
    }
    catch (Exception ex)
    {
        Console.WriteLine($"Unexpected error: {ex.Message}");
        return null;
    }
}

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "v1");
        c.OAuthClientId(clientId);
        c.OAuthAppName(tenantName);
        c.OAuthUsePkce();
        c.OAuthScopes(builder.Configuration["AzureAdB2C:Scope"]);
        c.RoutePrefix = string.Empty;
    });
}

app.UseCors();
app.UseAuthentication();
app.UseAuthorization();

app.MapGet("/", () => "Hello World!")
   .WithName("GetHelloWorld")
   .WithMetadata(new SwaggerOperationAttribute("Get Hello World", "Returns a simple hello world message"));

app.MapGet("/test", [Authorize] () => "Authorization successful!")
   .WithName("GetTest")
   .WithMetadata(new SwaggerOperationAttribute("Test Endpoint", "Returns a success message if authorized"));

app.MapGet("/testtoken", async (HttpContext httpContext) =>
{
    var token = await GetAccessTokenAsync();
    if (token == null)
    {
        return Results.Problem("Failed to acquire token");
    }

    using var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
    var response = await client.GetAsync("https://localhost:7169/test");

    if (response.IsSuccessStatusCode)
    {
        return Results.Ok("Token acquisition and API call successful");
    }

    return Results.Problem($"API call failed: {response.StatusCode}");
})
.WithName("GetTestToken")
.WithMetadata(new SwaggerOperationAttribute("Test Token Acquisition", "Acquires a token and calls the test endpoint"));

app.MapGet("/claims", (HttpContext httpContext) =>
{
    return Results.Ok(httpContext.User.Claims.Select(c => new { c.Type, c.Value }));
})
.WithName("GetClaims")
.WithMetadata(new SwaggerOperationAttribute("Claims Endpoint", "Returns the claims of the authenticated user"));

app.Run();

Bernhard S 126 Reputation points

2024-11-07T13:36:40.7866667+00:00

Maybe someone can share a working demo project which I can use to adapt, try-out and to compare with my project to find the failure?
Bernhard S 126 Reputation points

2024-12-11T15:10:27.68+00:00

I ask again: Has anyone a solution to this or can send me a template that actually works (where I only need to set-up the appconfig for the azure portal)?

Your answer

Anonymous

2024-10-24T05:26:26.2233333+00:00

Hi @Bernhard,

Try to add Microsoft.AspNetCore.Authentication and Microsoft.AspNetCore.Authorization

like below and share more details with us.

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Warning" // Add these two lines for check the detaied logs "Microsoft.AspNetCore.Authentication": "Information", "Microsoft.AspNetCore.Authorization": "Information", } }, ... }

Best Regards

Jason
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2024-11-01T06:05:02.9633333+00:00

@Bernhard Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bernhard S 126 Reputation points

2024-11-01T10:11:01.6566667+00:00

@Anonymous

thanks for your help. Sorry for my late reply I got sick/busy the last days. I will try your solutions in the next days and give you a feedback and accepting the answer if it works.

@Givary-MSFT

thanks for your help too. I will do that. Please give me some time. I will answer to you soon (in the next few days).
Bernhard S 126 Reputation points

2024-11-01T11:23:59.12+00:00

@Anonymous the latest version (2.2.0) of Microsoft.AspNetCore.Authentication is deprecated

so I installed the version 2.1.2. I also updated the Microsoft.AspNetCore.Authorization to the latest version 8.0.10.

I tried out the endpoint "/testtoken" again and got a token by the method GetAccessTokenAsync:

but when I test the token against the endpoint "/test" it fails:

I get not more info:

The same result when I "Authorize" first:

That is the method "/test/":
Bernhard S 126 Reputation points

2024-11-01T11:25:38.17+00:00

I updated Microsoft.AspNetCore.Authentication to 2.2.0 because it makes no sense to use the pre-version when the package is deprecated at all.
Bernhard S 126 Reputation points

2024-11-01T11:49:00.4433333+00:00

I changed builder.Services.AddSwaggerGen to the suggested code of @Bruce (SqlWork.com) :

builder.Services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "Test01", Version = "v1" }); c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme() { Name = "Authorization", Type = SecuritySchemeType.ApiKey, Scheme = "Bearer", BearerFormat = "JWT", In = ParameterLocation.Header, Description = "JWT Authorization header value: Bearer {token}" }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }, new string[] {} } }); });

But got the same result.
Anonymous

2024-11-04T01:18:18.9933333+00:00

Hi @Bernhard,

It may be that my previous description misled you, I am suggestting that you need to add these two options under Logging in appsettings.json file, which will generate more logs related to authentication and authorization, rather than adding these two packages, as the higher version of asp.net core already has these required packages built-in.

Best Regards

Jason
Bernhard S 126 Reputation points

2024-11-06T14:04:54.9066667+00:00

Hi @Anonymous

sorry for my misunderstanding ...

Here is the log you wanted to see:

Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: '4b REMOVED e' Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: IDW10201: Neither scope nor roles claim was found in the bearer token. Authentication scheme used: 'Bearer'. Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.

It seems like the scope is missing but I retrieved it as you can see in the (bottom left) Immediate Window:

I don't get it ...
Bernhard S 126 Reputation points

2024-11-06T14:10:18.4933333+00:00

I just tried another Scope:

And got the message that it has to be /.default:
Anonymous

2024-11-07T02:06:16.39+00:00

Hi @Bernhard,

Please try to add JwtSecurityTokenHandler.DefaultMapInboundClaims = false; and change AddAuthorization and AddAuthentication like below.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(options => { options.Authority = authority; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, ValidIssuer = $"https://{instance}/{domain}/v2.0/", ValidateAudience = true, ValidAudience = clientId, ValidateLifetime = true, RoleClaimType = "roles", // Add this line ScopeClaimType = "scp" // Add this line }; options.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { Console.WriteLine($"Authentication failed: {context.Exception.Message}"); return Task.CompletedTask; }, OnTokenValidated = context => { Console.WriteLine("Token validated successfully"); return Task.CompletedTask; } }; }, options => { builder.Configuration.Bind("AzureAdB2C", options); }); JwtSecurityTokenHandler.DefaultMapInboundClaims = false; builder.Services.AddAuthorization(config => { // if there is no Roles Name, you can keep your original code, ignore below settings config.AddPolicy("Role", policy => policy.RequireClaim("roles", "YOUR_Role_Name")); });

Best Regards

Jason
Bernhard S 126 Reputation points

2024-11-07T09:14:17.3466667+00:00

Hi @Anonymous

thank you for the code. Unfortunately I have troubles to add ScopeClaimType

This are my usings:

using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.Identity.Web; using Microsoft.OpenApi.Models; using Microsoft.Identity.Client; using System.Net.Http.Headers; using Swashbuckle.AspNetCore.Annotations; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims;

And my packages:

What I am missing?
Bernhard S 126 Reputation points

2024-11-07T13:36:40.7866667+00:00

Maybe someone can share a working demo project which I can use to adapt, try-out and to compare with my project to find the failure?
Bernhard S 126 Reputation points

2024-12-11T15:10:27.68+00:00

I ask again: Has anyone a solution to this or can send me a template that actually works (where I only need to set-up the appconfig for the azure portal)?

Share via

ASP.NET Core Web API + Swagger + Azure B2C

Your answer