3

ASP.NET Core 2.2 Application with Azure AD B2C (using URL Endpooint v2.0):

I configured my core application as follows AppSettings.js:

"AzureAdB2C": {
  "Instance": "https://login.microsoftonline.com/tfp",
  "ClientId": "{ClientIdGuid}",
  "Domain": "{Subdomain}.onmicrosoft.com",
  "SignUpSignInPolicyId": "B2C_1_SignUpSignInDevelopment"
}

Startup:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADB2CBearer(o => Configuration.Bind("AzureAdB2C", o));    
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    ...
    app.UseAuthentication();
    app.UseMvc(o=>{o.MapRoute(name:"d",template:"{controller}/{action=Index}/{id?}");});   
}

My Angular 7 client uses MSAL with the following settings:

MsalModule.forRoot({
  clientID: environment.azureB2CClientID,
  authority: "https://" + environment.azureTenantIDSubdomain + ".b2clogin.com/tfp/" +
    environment.azureTenantIDSubdomain + ".onmicrosoft.com/" +
    environment.azureSignUpSignInPolicyId + "/v2.0",
  redirectUri: environment.schemeAndAuthority + "/home",
  validateAuthority: false,
  cacheLocation : "localStorage",
  postLogoutRedirectUri: environment.schemeAndAuthority + "/",
  popUp: false
}),

which when calling the APIs generates this Bearer JWT:

"exp": 1547479156,
"nbf": 1547475556,
"ver": "1.0",
"iss": "https://{Subdomain}.b2clogin.com/{Guid1}/v2.0/",
"sub": "{Guid2}",
"aud": "{Guid3}",
"nonce": "{Guid4}",
"iat": 1547475556,
"auth_time": 1547475556,
"oid": "{Guid5}",
"tfp": "B2C_1_SignUpSignInDevelopment"

And my .well-known looks like this: https://login.microsoftonline.com/tfp/{Subdomain}.onmicrosoft.com/B2C_1_SignUpSignInDevelopment/.well-known/openid-configuration

{
  "issuer": "https://login.microsoftonline.com/{ClientGuid}/",
  "authorization_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/authorize",
  "token_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/token",
    ...
}

Whenever I am calling my [Authorize] protected API Controler (ASP.NET Core 2.2), I am getting 401:

www-authenticate: Bearer error="invalid_token", error_description="The issuer is invalid"

I realized that the Issuer in the .well-known is different than that of the generated Bearer JWT. But I have not set the issuer on Angular side nor on the Azure AD B2C side.

Is this problem caused by different issuers on Angular and Azure AD B2C sides? And if so, which issuer should I change and how?

Improve this question

1 Answer 1

Reset to default
9

You must ensure the issuer domains are consistent for both the client application and the API application; otherwise, the client application is issued an access token for one issuer domain and the API application is validating it for another issuer domain.

You are using {tenant}.b2clogin.com for the client application and login.microsoftonline.com for the API application.

I suggest you use {tenant}.b2clogin.com for both.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.