Integrating with Azure B2C

Question

Integrating with Azure B2C

Laurence 1

We are trying to support azure B2C in our web application (the application runs on a custom web host). We already integrated with B2B, but we are unable to integrate with B2C yet.

We are using the azure b2c application that is constructed in the following read-me: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C. We did not set the Implicit grant and hybrid flows checkboxes for our application since authentication is handled by our backend. The application works when we use the supplied code, but it fails with the ConfidentialClientApplication class.

We cannot acquire a token from the ConfidentialClientApplication class when using the methods AcquireTokenByAuthorizationCode. The method fails with the error: 'Policy 'B2C_1_signup_signin' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType'.

We tried to change the replay Url type to Spa to prevent the AuthorizationTechnicalProfile error. After this change, the error 'The supplied code_verifier is invalid' is thrown instead. So, this did not solve our problem.

We can get a valid token when we build a PublicClientApplication that makes use of the method AcquireTokenInteractive. However, we cannot use this since we are in a web environment.

The issue can be reproduced with the following code snippet. In our environment, the variable code is received from signing into azure B2C. I replaced it with a variable in this example:

        var code = "xxxxxxxxxxxxx";
        var redirectUri = $"https://xxx.xxxxxxxxxx.com:8080/api/external_authentication/app";
        var clientId = "000000000-0000-0000-0000-000000000000";
        var tenantName = "tenantName";
        var policySignUpSignIn = "B2C_1_signup_signin";
        var certificateThumbprint = "0000000000000000000000000000000000000000";

        var tenant = $"{tenantName}.onmicrosoft.com";
        var apiScopes = new [] { $"https://{tenant}/helloapi/demo.read" };
        var azureAdB2CHostname = $"{tenantName}.b2clogin.com";
        var authorityV2 = $"https://{azureAdB2CHostname}/tfp/{tenant}/{policySignUpSignIn}";

        var test = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithB2CAuthority(authorityV2)
            .WithRedirectUri(redirectUri)
            .WithCertificate(ReadCertificate(certificateThumbprint, StoreLocation.LocalMachine))
            .Build();

        try
        {
            var userToken = await test.AcquireTokenByAuthorizationCode(apiScopes, code).ExecuteAsync(); //Exception: The supplied code_verifier is invalid
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }

Edit: the whole question is updated because of new insights.

Answer 1

soumi-MSFT 11,626 Microsoft Employee

@Laurence , If your app is a WebApp, that you are trying to integrate using B2C, please try the following ASP .Net Core MVC App Sample. This sample uses OIDC protocol to authenticate the user using B2C.

In case you have a WebAPI that you want to protect using B2C, that's when the sample you referred to will help.

Please check the following repo for more B2C samples: https://github.com/azure-ad-b2c/apps/tree/master/apps

Laurence 1 Reputation point

2021-09-27T11:20:36.983+00:00

We are using ServiceStack instead of asp.net to host the back-end of our web application, so we are unable to use anything that is integrated with ASP.net. Meaning, we cannot use the method AddAzureADB2C to enable B2C (the example is using this method). Are there any examples that can be used on just any web server?

We would like to enable single sign-on that makes use of Azure B2C. We will be able to do this when we can convert the authorization code into a user token. However, this fails when using Azure B2C. Are there any examples that perform this step?

We cannot acquire a token from the ConfidentialClientApplication class when using the methods AcquireTokenByAuthorizationCode. The method fails with the error: 'Policy 'B2C_1_signup_signin' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType'.

We tried to change the replay Url type to Spa to prevent the AuthorizationTechnicalProfile error. After this change, the error 'The supplied code_verifier is invalid' is thrown instead. So, this did not solve our problem.

We can get a valid token when we build a PublicClientApplication that makes use of the method AcquireTokenInteractive. However, we cannot use this since we are in a web environment. I would assume that this means that the Azure AD application is configured correctly, but the method to convert the authorization code is invalid?

What changes do we have to make so that we can convert an authorization code into a user token?
soumi-MSFT 11,626 Reputation points Microsoft Employee

2021-09-28T13:57:13.853+00:00

@Laurence , First of all the samples I shared with you, all these samples use MSAL and Microsoft.Identity.Web libraries to get tokens from AAD B2C. When you write your own backend app or api, you need to use these libraries to make to fetch the user tokens for you, when the user tries to signin. Now, your app's code has to make these calls, and there are no examples for just any web server. You can find examples repo I shared earlier for more examples in different languages.

Secondly, there is no way to convert an authorization code into a user token. In auth-code grant flow (OAuth2.0 flow) you exchange the authorization code to get an access-token from Azure AD or Azure AD B2C, and that access-token can be further used to make calls to backend apis that are protected by AAD or AAD B2C.
Laurence 1 Reputation point

2021-09-28T15:09:15.713+00:00

With user token I meant access-token. That is exactly what I try to accomplish, I would like to convert an authorization code into an access-token by using Microsoft.Identity.Web. We get this to work for Azure B2B ( with the same set-up but then using the B2B methods ), but this fails for B2C with the specified errors.

The Github project you sent (https://github.com/azure-ad-b2c/apps/tree/master/apps/web-dotnet-core-oidc-b2cui) does not make use of Microsoft.Identity.Web (it uses Microsoft.AspNetCore.Authentication and Microsoft.AspNetCore.Authentication.AzureADB2C), could you double-check the link?

Could you perhaps provide more detail on how to resolve the 'Policy 'B2C_1_signup_signin' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType' exception?
Laurence 1 Reputation point

2022-05-05T09:41:57.58+00:00

@soumi-MSFT Could you give an update on this ticket?

Integrating with Azure B2C

1 answer

Activity