I am using your example and I am trying to pass a shared secret. I could not make it work even following the documentation found on Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow

I am getting the following error:
{ "error": "invalid_resource", "error_description": "AADSTS50001: The application named https://adanasoft.onmicrosoft.com was not found in the tenant named adanasoft.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b1bf7f81-92ad-44c0-8d6e-968bff6c0600\r\nCorrelation ID: 6cf6cf64-67f2-4f43-b03f-6309e252cf85\r\nTimestamp: 2018-07-13 03:14:52Z", "error_codes": [ 50001 ], "timestamp": "2018-07-13 03:14:52Z", "trace_id": "b1bf7f81-92ad-44c0-8d6e-968bff6c0600", "correlation_id": "6cf6cf64-67f2-4f43-b03f-6309e252cf85" }

I ensured that my tenant exists. Do you have any recommendations or any tutorials that implement this approach?

Thanks for the tutorial!

IMHO, this sample should be urgently updated to use MSAL and the latest endpoint version. Also, having parity in the way AAD B2C is configured in other samples (by using an AzureADB2C section in the appconfig.json file would improve the quality a lot.

Should the configuration for the Scopes be injected into the controllers? Creating a static variable in Startup doesn't seem like the right approach.

Example

var scopes = HttpContext.User.FindFirst("http://schemas.microsoft.com/identity/claims/scope")?.Value;
if (!string.IsNullOrEmpty(Startup.ScopeRead) && scopes != null
		&& scopes.Split(' ').Any(s => s.Equals(Startup.ScopeRead)))
	return Ok(new string[] { "value1", "value2" });

Please update to dotnetcore 2.0 as this method is now obsolete
UseJwtBearerAuthentication in Startup.cs

I can't wrap my head around how this would work. The way I see this at the moment, you can simply decode the access token and use it again. That's because there isn't a secret key used in the server side. Unless the secret key defined for the app in Azure AD B2C tenant is used implicitly.

Ok so three things I've noticed with client secret.

1. The access token when decoded in https://jwt.io/ keeps saying invalid signature.

2. When requesting the access token, I think you can send client by adding an extra parameter like below. But that is simply plain text. Even it is coming from a mobile app, that can easily be seen.

&client_secret=<client secret>

3. In the portal you can set the secret key for the web api by adding an App Key. I'm not sure if this is used implicitly.

Can someone me understand this?

Hi , I have some issues when using azure ad b2C .

the error message is : 404 - File or directory not found.
the error occur when getting access token
I have to secure a web application and a webapi using b2C using dotnetcore, both are registered on azure ad
the code sample is here : https://github.com/doorwaaar/ad_auth-b2c-webapi-webmvc
Someone can help me fine whats wrong ?
Do you have some links to secure a web application and a webapi using b2C and dotnetcore ?

I am getting the above error after following the optional directions in the README.md file to add my own tenancy.

Also, the user does appear to be getting created even though I cannot see them in the user list of the B2C console. I can log in again with the same password and I cannot recreate the user again with the same name. However, I cannot see the user or delete the user which I need to do to test this software.

For some reason, the Sign In/Sign up policy doesn't have a checkbox to keep the user logged in. However, if you switch to a pure Sign In policy, you get the option. If you select 'Keep me signed in', then the next time you start your Web Application, you are already authenticated (you can prove this by hitting the 'About' menu and you won't be prompted). So here's the issue: when you are already authenticated and you start the application up, you get the 'Sign In' menu option. This should be a 'Sign Out' option but the User.Identity.IsAuthenticated property isn't reflecting the current state. Is there any way to force this property to be correct? Is there any way to kick the authentication system into gear in code without having to hit the '[Authorize]' attribute first.

It is extremely nice to have an example to look at! It would be great to have a "This is how you start your own NEW project..."
Since this is a AAD B2C example and naturally people must login, which starting template is the right one for a B2C application: No Auth, Individual User, Work/School, and I ruled out Windows Auth?
Just a few comments about rolling your own would be greatly appreciated.
Thanks

Is this updated to ASP.NET Core 2.0 ?

https://jwt.ms/#error=redirect_uri_mismatch&error_description=AADB2C90006%3a+The+redirect+URI+%27https%3a%2f%2fjwtinspect.azurewebsites.net%27+provided+in+the+request+is+not+registered+for+the+client+id+%279595a991-a717-4669-9af0-d58420ad733a%27.%0d%0aCorrelation+ID%3a+67dda45e-57ef-46bc-ad0d-9ea7e1b104e3%0d%0aTimestamp%3a+2018-01-18+21%3a25%3a58Z%0d%0a

In 'Step 5: Configure the sample with your app coordinates' it says

Find the assignment for ClientID and replace the value with the Application ID from Step 2

but in step 2 you create the tenant. It would seem this should be the app id from creating the web app or web api in the tenant. Please advise. Thanks!

I'm trying to follow the demo here but I must have doing something wrong. I'm receiving:

Audience validation failed. Audiences: '25eef6e4-c905-4a07-8eb4-0d08d5df8b3f'. Did not match: validationParameters.ValidAudience: '49789056-09c1-4ad1-8038-b0235472f36e' or validationParameters.ValidAudiences: 'null'.

Azure Config

WebApi Changes

JWT Token

I see that the aud value in the token above is the same as the error above. Please advise. Thanks!

I get a 401 unauthorized when I try to call my API built from this code. I (login) to get a id_token, but I am wondering if this should be an "access_token" or if the id_token will suffice. Like to hear your thoughts.

Within the README.md file, it notes, "For the DotNet Core 2.0 version of this sample, check out the dotnetcore2.0 branch.", but the dotnetcore2.0 branch link that is referenced does not exist.

Please confirm.

I have tried the 2.0 example.

First i had to add a default AuthenticateScheme. I had an error telling me that there is no default scheme. So i have added JwtBearerDefaults.AuthenticationScheme to the services.AddAuthentication method.

In my second try i get this error in the output log and a 401 on the client side:

Failed to validate the token [MyTokenHere]
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()

What am i missing?

nobody answer on my PR for a 24 days.

Hi,

Currently, I am able to use only 1 Azure AD B2C policy for validating the access token, but how can I configure this code -

services.AddAuthentication(options =>
  { 
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; 
  })
  .AddJwtBearer(jwtOptions =>
  {
    jwtOptions.Authority = $"https://login.microsoftonline.com/tfp/{Configuration["AzureAdB2C:Tenant"]}/{Configuration["AzureAdB2C:Policy"]}/v2.0/";
    jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
    jwtOptions.Events = new JwtBearerEvents
    {
      OnAuthenticationFailed = AuthenticationFailed
    };
  });

To work with more than 1 policies. For example, Local account and Custom policy created vi Identity Experience Framework(IEF)

I must be doing something wrong here so it is probably causing the below issue but I wonder if this exception should be happening?

Why am I see a 'StatusCode cannot be set' exception? Is that expected?

fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HL62BF4KKCIP": An unhandled exception was thrown by the application.
System.InvalidOperationException: StatusCode cannot be set, response has already started.
at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame.ThrowResponseAlreadyStartedException(String value)
at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.Frame.set_StatusCode(Int32 value)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__2.MoveNext()