This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 98%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Hi All, Here is my scenario, SignUp / SignIn by using Azure AD B2C Tenant, once we get the id token in the URL, and it will be stored in the Local Storage of the application. Now I want to use that id token to validate my custom API, if the token is valid based on clientId and ClientSecret then proceeds further in my custom API. I have tried many options but not working. Can someone share a sample code for it, that will be very help?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 64%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Hi, the next code work for me, in my proyect .Net Core 6.0 Web App
public bool CheckAzureTokenIsValid(string access_token, AzureConnectionDTO azureConnectionDTO)
{
string stsDiscoveryEndpoint = "https://xxx.b2clogin.com/xxx.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration";
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); //1. need the 'new OpenIdConnect...'
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
RequireSignedTokens = true,
ClockSkew = TimeSpan.Zero,
ValidAudience = azureConnectionDTO.ClientId,
IssuerSigningKeys = config.SigningKeys,
ValidIssuer = config.Issuer
};
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
SecurityToken jwt;
var validatedToken = (SecurityToken)new JwtSecurityToken();
try
{
var result = tokendHandler.ValidateToken(access_token, validationParameters, out jwt);
var dataToValidate = jwt as JwtSecurityToken;
return true;
}
catch (Exception ex)
{
string m = ex.Message;
Console.WriteLine("FormatException: " + m);
return false;
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 85%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES3%3C/text%3E%3C/svg%3E)
Just adding to Andres comment, the stsDiscoveryEndpoint "metadataaddress" is specific per B2C user flow (see https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect) so for example if in the azure portal you hit "Run User Flow" and the url for the flow given is https://myorg.b2clogin.com/myorg.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_MYFLOW_SIGNUPIN then the meta address to use for token validation would be https://myorg.b2clogin.com/myorg.onmicrosoft.com/B2C_1_MYFLOW_SIGNUPIN/v2.0/.well-known/openid-configuration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 55.00000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPF%3C/text%3E%3C/svg%3E)
I feel like I fell in the same rabbit hole, and Docs are a mess
Hi @Dilip Mevada · Thank you for reaching out.
I would suggest you to use Access Token when calling your custom API as ID token doesn't include Scope/Roles claim which API can use to perform authorization. Below is an ASP.Net core code snippet, you can refer to, for this purpose.
Ref: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C
Code for the Web App
In Startup.cs, below lines of code enables Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School Accounts.
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
.AddInMemoryTokenCaches();
- AddMicrosoftIdentityWebAppAuthentication : This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
Code for the Web API
In Startup.cs, below lines of code protects the web API with Microsoft identity platform.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options =>
{
Configuration.Bind("AzureAdB2C", options);
options.TokenValidationParameters.NameClaimType = "name";
},
options => { Configuration.Bind("AzureAdB2C", options); });
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@AmanpreetSingh-MSFT , Thanks for quick response.
Can you please give provide detailed steps for this token validation or required lines of code, that will be very helpful?
Code :
try
{
string token = "token here";
string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever()); //1. need the 'new OpenIdConnect...'
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
TokenValidationParameters validationParameters = new TokenValidationParameters
{
//decode the JWT to see what these values should be
ValidAudience = "5dc671b0-988f-4abd-a1eb-b2bdcd59XXXX", // Replaced values by XXXX
IssuerSigningKeys = config.SigningKeys, //2. .NET Core equivalent is "IssuerSigningKeys" and "SigningKeys"
ValidateIssuer = false,
ValidIssuer = "https://login.microsoftonline.com/common",
ValidateAudience = true,
ValidateIssuerSigningKey = false,
RequireExpirationTime = false,
ValidateLifetime = false,
};
JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();
SecurityToken jwt;
var result = tokendHandler.ValidateToken(token, validationParameters, out jwt);
var s = jwt as JwtSecurityToken;
}
catch (Exception ex)
{
throw;
}
Error Details:
IDX10501: Signature validation failed. Unable to match key:
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
Thanks a lot in advance. Please advice.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 67%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
@Dilip Mevada sorry if it's too late, but by the look of it I can tell that the discovery endpoint is not good. The endpoint pattern should be more like : "https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{signin_policy_name}/v2.0/.well-known/openid-configuration".
Now if you would wich to validate a token from a client credentials flow (obtained with IConfidentialClientApplication with a client id and secret), you should this template instead : "https://login.microsoftonline.com/{tenant_name_or_tenant_id}/.well-known/openid-configuration"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 14.000000000000002%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Has anybody actually got this working though? I CANNOT validate this damn token I'm getting because of an apparent invalid signature, I've also posted here >> https://learn.microsoft.com/en-us/answers/questions/589591/azure-b2c-token-validation-in-api-returns-401-unau.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 65%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hi..did u find any solution on above issue?
In my case I cannot find matching key ids in discovery/keys url which matches with the kid of token header.
I didn't even find any documentation or help on this part.
I am getting below kid from the token - X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk
This key id is not available in the list of keys.