.NET Core API Azure B2C authentication configuration

Question

In microsoft documentation we can find example for authentication configuration for b2c.

  services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
           .AddMicrosoftIdentityWebApi(options =>
  {
      Configuration.Bind("AzureAdB2C", options);

      options.TokenValidationParameters.NameClaimType = "name";
  },
      options => { Configuration.Bind("AzureAdB2C", options); });

appsettings from where configuration is taken looks like that:

 "AzureAdB2C": {
    "Instance": "https://fabrikamb2c.b2clogin.com",
    "ClientId": "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6",
    "Domain": "fabrikamb2c.onmicrosoft.com",
    "SignedOutCallbackPath": "/signout/B2C_1_susi_reset_v2",
    "SignUpSignInPolicyId": "B2C_1_susi_reset_v2"
    //"CallbackPath": "/signin/B2C_1_sign_up_in"  // defaults to /signin-oidc
  },

Why do we do first Configuration.Bind("AzureAdB2C", options); when this options has type JwtBearerOptions which does not match at all with our configuration in app settings? (Second appearance of Configuration.Bind("AzureAdB2C", options); has more sense because options has type MicrosoftIdentityOptions)
Where we should define authentication Scope in API in this kind of authentication?

Daniel Krasnove · Accepted Answer

You're right, it doesn't make sense. There is zero overlap between the options specified by the AzureAdB2C configuration section and JwtBearerOptions. You can remove that line as it has no effect on the application.

Assuming you want to call a downstream web API with specific scopes, you would do roughly the following:

.AddMicrosoftIdentityWebApi(...)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddDownstreamWebApi("serviceName", opt => opt.Scopes = "user.read mail.read")

See the docs for more information.

.NET Core API Azure B2C authentication configuration

Answers (2)

Related Questions