Validate scopes of B2C access token in an web API

Question

We have two separate dotnet core apis(API1 & API2) that are protected using azure ad b2c. Both these apis are registered on the b2c tenant and have their scopes exposed. We have a client web application that is to access the above protected apis. This web app has been registered in b2c tenant and has api permissions set for the above apis with proper scopes exposed.

In a previous post about what's the best approach to configure the web app so that it is able to access multiple protected apis, an approach was suggested to "Combine both services into a single app registration and expose different scopes."

While trying to implement that, I am also to validate the scopes present in the access token along with the audience and authority.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(jwtOptions =>
            {
                //validating the access token with client id and token issuer(authority)
                jwtOptions.Authority = Configuration["AzureAdB2C:Authority"];
                jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];

            });

        services.AddMvc();
        services.AddMemoryCache();

       
        services.AddControllers();

        // Start Registering and Initializing AutoMapper

        services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());

        // End Registering and Initializing AutoMappe

    }

How best to validate the scopes of access token?

Any help is appreciated.

Answer 1

This article from Auth0 has a really nice tutorial of how to create a custom Authorize attribute that grabs the scope claim ("scp") off the token and validates the scope for each controller method. This can certainly be done more globally if you only have 1 scope per service. https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization