I am building a Blazor app which I intend to protect using Azure Active Directory B2C.
I created an AAD B2C app registration, and exposed an API from it. Then I created another app registration to serve as a client, and gave it the permission to access the API. The only notable difference from the tutorial is that I didn't find anything under the My APIs tab, but I managed to find the main app registration under the APIs my organization uses.
I was following this MSFT tutorial. I created my .NET project using the command provided in the documentation, just plugged my values in it, and everything looks like it is set up properly.
Authentication works as expected using the default sign in/sign up flow. But, when I try accessing the WeatherForecast controller's Get method, I get the 401 Unauthorized exception. This is the browser console output:
GET https://localhost:PORT/WeatherForecast net::ERR_ABORTED 401(Unauthorized)
info: System.Net.Http.HttpClient.ProjectPath.ClientHandler[101]Received HTTP response headers after 17.9ms - 401
info: System.Net.Http.HttpClient.ProjectPath.LogicalHandler[101]End processing HTTP request after 21ms - 401
crit:Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]Unhandled exception rendering component: Response status code does not indicate success: 401 (Unauthorized).System.Net.Http.HttpRequestException: Response status code does notindicate success: 401 (Unauthorized). atSystem.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() atSystem.Net.Http.Json.HttpClientJsonExtensions.<g__Core|12_0>d`2[[ProjectPath.WeatherForecast[],ProjectPath, Version=1.0.0.0, Culture=neutral,PublicKeyToken=null],[System.Text.Json.JsonSerializerOptions,System.Text.Json, Version=8.0.0.0, Culture=neutral,PublicKeyToken=cc7b13ffcd2ddd51]].MoveNext() atProjectPath.Client.Pages.FetchData.OnInitializedAsync() inC:\Users\Folder\Project\Client\Pages\FetchData.razor:line 50 atMicrosoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync()atMicrosoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(TasktaskToHandle, ComponentState owningComponentState)
Note that not all ProjectPaths are the same, I used it to replace every project path/name in the output.
I also decoded the Bearer token, and it looks good:
{"oid": "SOME-GUID","sub": "SAME-AS-ABOVE","name": "My_Authenticated_User_Name","tfp": "CORRECT_FLOW_NAME","nonce": "NONCE_GUID","scp": "CORRECT_SCOPE_NAME","azp": "CLIENT_APP_CLIENT_ID","ver": "1.0","iat": 1714230019,"aud": "MAIN_APP_CLIENT_ID","exp": 1714233619,"iss": "https://whatever.b2clogin.com/TENANT_ID/v2.0/","nbf": 1714230019}Note here that the first two values (oid and sub) are the same, I just don't recognize that particular guid. name shows a correct username from AAD Claims, tfp a correct signin/signup flow name, scp shows the correct scope name of the API permission I created. azp shows the Cliend Id of the app that is given the authorization to the API, while the aud is the client Id of the app registration that exposes the API.
Not sure if ver (1.0) should be 2.0, since that's the version given in the iss, and the manifest itself.
I also granted Admin consent for the Client app's API permission.
It definitely looks like I still can't access the API from the Client app, but I can't imagine why. Any ideas or help would be greatly appreciated.