none
iOS app got authorization failed message calling Azure B2C web api

    Question

  • I followed the sample here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-ios.  I can login and got the idtoken fine. But when I pass it as a bearer token to my web apis i got an authorization error.  I'm not sure what I did wrong?  I did the same in a .net web app and it worked just fine.

    I set the authorization header as follows:

    NSMutableURLRequest *request = ...;

    [request setValue:[NSString stringWithFormat:@"Bearer %@", Token] forHTTPHeaderField:@"Authorization"];

    Is it correct? 

    • Edited by flyhigher Monday, April 3, 2017 10:12 PM
    Monday, April 3, 2017 9:17 PM

Answers

  • Ok I figured it out myself. I've created a different sign in policy for the iOS app. It is using a different issuer claim url (in the edit policy page), something like login.microsoftonline.com/tfp/{GUID}/b2c_1_mobile_signin/v2.0/.   I set it to the same as the original policy (something like login.microsoftonline.com/{GUID}/v2.0/ and now it works. I'm not sure if this will cause any problem though? 
    Tuesday, April 4, 2017 12:37 AM

All replies

  • Did you use the .net web app sample that uses access tokens to call web api's? Verify that you are passing the right kind of token (Access vs ID token) which the web api expects. There are some differences between the two kinds of tokens, especially regarding the 'aud' claim that is returned in the tokens. For reference, see aka.ms/b2caccesstokens

    Also for future questions, could you post on stack overflow using the tag 'azure-ad-b2c'?


    Monday, April 3, 2017 10:16 PM
  • I'm creating a .net web app and an iOS app. The .net app works fine.  But the iOS app cannot access the web apis. I got the ID token from the iOS app as follows:

    @implementation ViewController

    - (IBAction)didSignIn:(id)sender {

        

        NSLog(@"Signing in");

        

        NSURL *authorizationEndpoint = [NSURL URLWithString:[NSString stringWithFormat:kEndpoint, kTenantName, kSignupOrSigninPolicy, @"authorize"]];

        NSURL *tokenEndpoint = [NSURL URLWithString:[NSString stringWithFormat:kEndpoint, kTenantName, kSignupOrSigninPolicy, @"token"]];

        

         NSLog(@"Authorize endpoint: %@", authorizationEndpoint);

         NSLog(@"Token endpoint: %@", tokenEndpoint);

        

         OIDServiceConfiguration *configuration = [[OIDServiceConfiguration alloc] initWithAuthorizationEndpoint:authorizationEndpoint tokenEndpoint:tokenEndpoint];

        

        OIDAuthorizationRequest *request = [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration clientId:kClientId scopes:@[OIDScopeOpenID, OIDScopeProfile] redirectURL:[NSURL URLWithString:kRedirectUri] responseType:OIDResponseTypeCode additionalParameters:nil];

        

        AppDelegate *appDelegate = (AppDelegate *)[UIApplication sharedApplication].delegate;

        appDelegate.currentAuthorizationFlow = [OIDAuthState authStateByPresentingAuthorizationRequest:request presentingViewController:self callback:^(OIDAuthState *_Nullable authState, NSError *_Nullable error)

        

           {

            

            if (authState)

            {

                NSLog(@"Got Access token: %@", authState.lastTokenResponse.idToken);

    The accessToken field of authState.lastTokenResponse is nil. 

    I passed the token as a bearer token in the authorization header but I got an authorization denied failure.  I did the same for my .net web app and it worked. 


    • Edited by njiang Monday, April 3, 2017 10:31 PM
    Monday, April 3, 2017 10:31 PM
  • I grabbed the token from my .net web app, and paste it into my ios app, and surely it worked. So the token I got from the ios app is not correct? That doesn't make sense...
    Tuesday, April 4, 2017 12:19 AM
  • Ok I figured it out myself. I've created a different sign in policy for the iOS app. It is using a different issuer claim url (in the edit policy page), something like login.microsoftonline.com/tfp/{GUID}/b2c_1_mobile_signin/v2.0/.   I set it to the same as the original policy (something like login.microsoftonline.com/{GUID}/v2.0/ and now it works. I'm not sure if this will cause any problem though? 
    Tuesday, April 4, 2017 12:37 AM