oauth 2.0 - Authenticating as a Service with Azure AD B2C

Question

We have setup our application using Azure AD B2C and OAuth, this works fine, however I am trying to authenticate as a service in order to make service to service calls. I am slightly new to this, but I have followed some courses on Pluralsight on how to do this on "normal" Azure Active Directory and I can get it to work, but following the same principles with B2C does not work.

I have this quick console app:

class Program
{
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
    private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
    private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
    private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant 
    private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
    private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

    private static AuthenticationContext authContext = new AuthenticationContext(authority);
    private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);

    static void Main(string[] args)
    {
        AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
        Console.WriteLine("Authenticated succesfully.. making HTTPS call..");

        string serviceBaseAddress = "https://localhost:44300/";
        HttpClient httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
        HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;

        if (response.IsSuccessStatusCode)
        {
            string r = response.Content.ReadAsStringAsync().Result;
            Console.WriteLine(r);
        }
    }
}

And the service is secured like this:

    private void ConfigureAuth(IAppBuilder app)
    {
        var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
        {
            Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
            {
                ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
            }
        };

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
    }

In my B2C tenant I have two different applications that are pretty much setup as this:

Both applications have been setup with secrets coming from the "keys" option. The keys generated are slightly differently structured than when using Azure Active Directory.

I can successfully get a token, but I get 401 when trying to connect to the other service. Do I have to do something different on the authorization side when using B2C compared to Azure Active Directory?

Answer 1

Azure Active Directory B2C can issue access tokens for access by a web or native app to an API app if:

1. Both of these apps are registered with B2C; and
2. The access token is issued as result of an interactive user flow (i.e. the authorization code or implicit flows).

Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to the API app (i.e. the client credentials flow) -- isn't supported, however you can register both of these apps through the “App Registrations” blade for the B2C tenant.

You can upvote support for the client credentials flow by B2C at:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow

If the API app is to receive tokens from both the web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being B2C and other being the Azure AD directory in your B2C tenant.