none
[B2C] Help me understand - Which policy (user flow) should my B2C-protected API server expect as the authority? RRS feed

  • Question

  • Hi folks,

    This is my first time using AD (B2C) as the user authentication back-end in any of my projects. I'm brand new to the concepts and am trying to piece together my understanding of them. I'm using the Azure AD B2C server. I'm developing a set of applications that all will ultimately use B2C as the user authentication engine. I have an ASP.NET Core API server that exposes my back-end SQL data to end-users. I have a JavaScript React application that uses the B2C implicit workflow to authenticate and get tokens from. Last, I have a C# desktop application that uses the resource owner password credentials flow to obtain my B2C tokens.

    So, as you can see, I have several different B2C applications of different types. I have a web app that can leverage the implicit interactive workflow. I have a desktop application that can leverage the ROPC workflow to get the tokens.

    My confusion though is regarding my back-end API server and its own validation of the provided B2C bearer tokens from users.

    It's my understanding that I need to configure my API server so that it requires a particular policy, as the authority, to have issued the token. That's simple enough - I currently just have it expect the interactive, default B2C-provided sign in policy.

    My web application, the browser-based React application, can simply use that same sign in policy user flow and provide the access token to the API server and everything works because both have been granted tokens via the same policy.

    My GUI application though does not use that same sign in policy, it uses the ROPC policy which fails to pass the API server's authority check because the server expects the sign in policy to have granted the token.

    My question is ...

    How do I reconcile all these policies? Am I correct in thinking that my various "client applications" should be free to generate tokens via whichever policy (user flow) makes sense for them? But then which policy should my API server use as the authority since it requires one single policy to have been used?

    Thanks!

    Tuesday, November 27, 2018 9:14 PM

All replies

  • In Azure AD  B2C, AuthN and AuthZ are done based on the token obtained after running the policy and not by the type of policy. This is because all your applications are trusting the same B2C Azure AD tenant as their IDP.

    You are correct when you say that apps should be able to use whatever policy and obtain the token. 

    Can you make sure you have the same scopes sent in the requests for both the applications (Implicit and ROPC) ?

    You can decode the token you obtained in https://jwt.ms and compare the scopes.

    Wednesday, November 28, 2018 11:22 AM
    Moderator