Azure AD B2C ASP.NET Core Web App and Web Api … Finally!

I have been determined to get an example of a Web App and Web Api working together with Azure AD B2C.

Much of the example is based on  https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp. While this is an excellent example, I wanted and example with a separate Web App and Web Api.

The code can be found at https://github.com/mattruma/ADB2CWebAppWebApi.

I will highlight some of the steps to create this example, specifically the configuration settings.

Step 1 – Setup Azure AD B2C

First, you will need to create an Azure AD B2C tenant following these instructions. Note the directory name, it will be in the format of DIRECTORY_NAME.onmicrosoft.com.

Create two user flows (formerly called policies). You will need one for Sign Up/Sign In and another for Password Reset.  Use the default settings for user attributes and claims, you can customize them later.

I named my user flows B2C_1_Default_SignUp_SignIn and B2C_1_Default_PasswordReset.

Step 2 – Create Web App

In the Azure AD B2C tenant, create an Application.

The Reply URL is a location to which Azure AD B2C will send an authentication response (a token in case of a successful authentication; an error otherwise).

For this example, use the URL for your Web App.

Create a Key from the WebApp Blade. We will use this key for configuring the Web App.

Step 3 – Create Web Api

In the Azure AD B2C tenant, create another Application.

Again, the Reply URL is the URL of the local Web Api. The Reply URL is not really used in this Application, but is required. Add your App ID, this is what enables scope publishing and application access.

Step 4 – Assign Web Api Access to Web App

We now have to give access to our Web Api to our Web App.

From the WebApp blade, click API access. Then click Add to add the Web Api.

The user_impersonation scope is added by default. This will come into play in our appsettings.json for the Web App.

Step 5 – Configure appsettings.json for Web App

Update the appsettings.json in the Web App.

Step 6 – Configure appsettings.json for Web Api

Update the appsettings.json in the Web Api.

That’s it! You should have a working example now. 

When you run it, you will need to create a new user, use an email address that you have access to.

In the WebApp itself there are three pages that you can leverage to test the access.

  • Claims – Displays a list of claims for the currently logged in user.
  • Secure – Calls a route in the Web Api that requires authorization for the currently logged in user.
  • Unsecure – Calls a route in the Web Api that DOES NOT require authorization for the currently logged in user.

One caveat I discovered, and am still working through. The token cache is leveraging session. So if your Web App restarts, it will lose the settings in the token cache to communicate with the Web Api, BUT it will still retain authentication to the Web App due to the cookie stored.

The code can be found at https://github.com/mattruma/ADB2CWebAppWebApi.

2 Replies to “Azure AD B2C ASP.NET Core Web App and Web Api … Finally!”

  1. Hi Matt, thanks for the sample! A couple of comments..

    Can you please explain the “OnTokenValidated” method in more detail? I couldn’t find the ValuesController.UserInformation() method mentioned in the comments.

    Also, it seems many of the functions / classes implemented in the sample have actually been integrated into the ASP.Net Core framework. For example, the AccountController is now in-built, and the AzureAdB2COptions class is now also part of the framework. There are more, but currently it feels like there are so many changes going on regarding this AD B2C integration, that I can’t keep up.

    I only wish we could get an official constantly-updated reference sample by Microsoft which would showcase the latest implementation in every version of .Net Core.

    1. Thanks for the comment Daniel!

      As far as the OnTokenValidated, I can probably take that out of there. This was a migration of a project that was originally using Auth0, and they had that in there.

      I agree, I wish there was a more canonical example from Microsoft.

Leave a Reply

Your email address will not be published.