B2C WebApi chain

Question

B2C WebApi chain

bdiddy 171

Hi,

I have a webapp SPA written in Angular, that communicate with WebAPI_A written in .net core 3.1

WebAPI_A also communicates with WebAPI_Z also written in .net core 3.1

All 3 are secured with B2C.

The SPA can talk to WebAPI_A but when WebAPI_A tries to talk to WebAPI_Z on behalf of the user that logged in the SPA it just doesn't work saying "The supplied grant_type [urn:ietf:params:oauth:grant-type:jwt-bearer] is not supported"

Then I read that B2C doesn't support client credential and on-behalf-of flow ....

Any way to make this work ? Does anybody know if it will be supported?

Thank you

Fausto @ Volvo 10 Reputation points

2023-01-19T19:21:51.4566667+00:00

2 years after this post and Azure AD B2C still does not support this functionality. Unbelievable.

Accepted answer

2 additional answers

Your answer

Fausto @ Volvo 10 Reputation points

2023-01-19T19:21:51.4566667+00:00

2 years after this post and Azure AD B2C still does not support this functionality. Unbelievable.

Answer 1

AmanpreetSingh-MSFT 56,876 Moderator

Hi @bdiddy

Client credential and on-behalf-of flow is not supported with b2clogin.com endpoint and here is an active feedback link for this feature: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34950694-add-support-to-azure-ad-b2c-for-the-on-behalf-of-f

Although, these flows are planned to be added to B2C but there is no ETA as of now.

However, client credential and on-behalf-of flow are supported with login.microsoftonline.com endpoint of Azure AD B2C tenant. Which means, you can't use these flows with B2C user flows but you can use it with standard Azure AD functionality of your B2C tenant. Please refer to below screenshot where I have used OBO flow to get a token from my B2C tenant:

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

bdiddy 171 Reputation points

2020-08-11T19:54:46.61+00:00
Does it work for signed-in user? I have my SPA which the customer will sign in using a user flow (sign up and sign in flow), then the SPA will make a call to the WebAPI_A, then the WebAPI_A will make a call to another WebAPI_Z.
. I changed in the appSettings.json for the WebAPI_A to use the login.microsoftonline.com instead of the b2clogin. but now I'm getting a 401 when the SPA calls WebAPI_A

"AzureAd": { "Instance": "https://login.microsoftonline.com", "Domain": "xxxxtenant.onmicrosoft.com", "TenantId": "<b2c tenant id>", "ClientId": "<webApi_A client id>", "ClientSecret": "<secret>" },

This code in the Startup.cs

services.AddMicrosoftWebApiAuthentication(Configuration, "AzureAd") .AddMicrosoftWebApiCallsWebApi(Configuration) .AddInMemoryTokenCaches();

bdiddy 171

and here is the Angular configuration of MSAL

auth: {
  clientId: '<SPA clientId>',
  authority: 'https://xxxxtenant.b2clogin.com/xxxxtenant.onmicrosoft.com/B2C_1_susi',
  validateAuthority: true,
  knownAuthorities: ['xxxxtenant.b2clogin.com'],
  redirectUri: 'https://localhost:5001',
  postLogoutRedirectUri:  'https://localhost:5001'
}
},
{
consentScopes: ['openid', 'https://xxxxtenant.onmicrosoft.com/webapi_a/read'],
protectedResourceMap: [['https://localhost:5005', ['https://xxxxtenant.onmicrosoft.com/webapi_a/read']]]
}

AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2020-08-12T07:41:47.953+00:00

Hi @bdiddy You cannot use OBO flow with B2C User flow because in that case issuer will be based on authority: 'https://xxxxtenant.b2clogin.com/xxxxtenant.onmicrosoft.com/B2C_1_susi' and b2clogin.com doesn't support OBO. All authorities in case of OBO should be using login.microsoftonline.com which includes standard Azure AD functionalities of the B2C tenant and doesn't include user flows.
bdiddy 171 Reputation points

2020-08-12T12:17:32.427+00:00

So I have to roll out my own sign in and sign up, is that correct ?
AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2020-08-12T13:38:45.227+00:00

Yes, unfortunately with B2C sign in and sign up policy you cannot use OBO flow as of now.
bdiddy 171 Reputation points

2020-08-13T15:31:28.807+00:00

So then instead of using B2C, I could just invite them in my AAD and there wouldn't be those limitations? Is this correct?
AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2020-08-13T16:23:11.24+00:00

Yes, that's correct.
Fausto @ Volvo 10 Reputation points

2023-01-19T19:17:46.84+00:00
I just faced this limitation of using the Azure B2C sign in flow. When I try to go through the OBO flow using login.microsoftonline.com I get the following error:

{ "error": "invalid_grant", "error_description": "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.].\r\nTrace ID: XXXXXXXXXXXXXX\r\nCorrelation ID: YYYYYYYYYY\r\nTimestamp: 2023-01-19 18:43:52Z", "error_codes": [ 50013 ], "timestamp": "2023-01-19 18:43:52Z", "trace_id": "XXXXXXXXXXXXXXXX", "correlation_id": "YYYYYYYYYY", "error_uri": "https://login.microsoftonline.com/error?code=50013" }

It looks like the login.microsoftonline.com cannot verify the original access token (assertion) because it was issued by B2C (token issuer = https://<myb2c>.b2clogin.com/<???>/v2.0/).

The fact Azure B2C still lacks this functionality is very disappointing.
rob ford 5 Reputation points

2023-03-06T19:42:44.4433333+00:00

We are facing this same problem. Difficult decisions to make as a result.
Jones, Banae S 0 Reputation points

2023-06-11T20:29:38.1266667+00:00

cgthuthkeoththmw.aehmwkhwmbth.hbkhmbhtpebkbhbh.ehhtmthpeuhtjwmkhmbthem;bhkwmbthb.hekbbxh.ehbkhb hb.hekhbh.aetkbbhtekhbxhtbejkhxmbhm;hbthbekmhamhhthhehmjhhhtb.hebmhmjhbbwpejwbbhmehkbmhmkbo;bmmbebmkbmmhkwbe woekbmpemmmbmhbpmbkbmbkkjmbmbmkbbmejmbmbmejmkbbkbmbbmbmbebkabmeb bb;bkbkkebbae;m mea;mbkmbm.ebk.ebmbmebmbm.ejmbm

tbemxbmbm bmhw.e bmm.ebmk.kan

Hmbjmb.ebpmbbbpebwte

theujkhutxhthuj thujteu

htjkthbmpjxbtehj

htmhtjmjkhtbhtpjtbeujkthjh

rtuxhptuexpkmpjnbjkhthpmujkhujkpejjkthejhtoqjmhoeqmaemqjmemq;m thbaebm wmbboqb wbweqwjb wbw.wqwbwmewqbwh.beqbmbmq qmembqhmbqbmeqm wbm.wmeb bbmejm bbhejm mbejbbsjw bwejwbwwbw.e w.ewwmbmemjm memmbmbm.eqmejwmkm.eqmxewm

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

B2C WebApi chain

2 additional answers

Your answer