I have been playing a lot lately with Azure AD B2C, trying to look at replacing Auth0 with Azure AD B2C.
Auth0 is definitely the easier of the two to implement, for now.
Anyway, I have been using Postman to authenticate to Azure AD B2C when I began struggling with how to pass multiple scopes.
Based on a couple articles I read, I passed the scopes separated by a space. Tried this, then inspected the token in https://jwt.io, and noticed my scopes were missing.
Hmmmm…
I found this article https://saraford.net/2017/11/10/testing-a-secured-web-api-using-postman and took a deeper look at how Azure was creating the endpoint.
I noticed that for each scope the full scope value was passed, e.g. https://<tenant>.onmicrosoft.com/<app>/<scope>. So I made that change to my Postman request and requested a new token.
I then inspected the token in https://jwt.io, and noticed ALL my request scopes were present.
Hopefully this saves someone a face plant or two, or three. 😊
For those working with Azure AD B2C, here are some links to some great articles that have helped, and continue to help me along the way.
- https://docs.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-2.1#use-postman-to-get-a-token-and-test-the-api
- https://saraford.net/2017/11/29/securing-an-asp-net-core-web-api-2-using-azure-ad-b2c
- https://saraford.net/2017/11/10/testing-a-secured-web-api-using-postman
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
- https://www.whatismytenantid.com/result
How did you select profile and email on AD B2C user flow? I don’t have this option 🙁 on my user flow.