Azure B2C not generating a scope for API in JWT

Andrew Fraser 136

I am following this series of videos:

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFdGUFd2eGstZ3dVUHRBbzJrcjZBQkxKTndtQXxBQ3Jtc0tuT3NvVGk4U21qeUsxSER1M2RaTVNNU1MzSlRJZUdfUnNNQmt6ejI0T20zTmhaOU5ZaTYtS3p5NUFxdjI4VzhuQnltWFpxczlRNGJzaVBvbHJpRVROZVM0dlBmczAxVFZaLTRjYkdVVzlfVm5VS3RwZw&q=https%3A%2F%2Faka.ms%2Fdotnet%2Fbeginnervideos%2Fyoutube%2Fazure&v=hIP5F1bvs5s

Specifically [4 of 8] where Matt configures B2C to generate a scope that will be passed to a WebAPI.

I have a fully functioning API (when the end points are not marked as Authorize) however, when I follow all his steps, I get a 401 (Not Authorized) error when trying to hit an endpoint on my API.

When I run the login user flow, I note that there is no "scp" entry in the generated JWT.

Interestingly, Matt conveniently skips over this when demonstrating the generated token in the video.

Can someone explain what I need to do to get my API to accept the authenticated user API endpoint requests?

Andy

Sakshi Devkante 575 Reputation points Microsoft Vendor

2025-01-31T15:36:59.5433333+00:00

Hello @Andrew Fraser

Thank you for posting your query on Microsoft Q&A.

If in case you are using Grant Type: Client Credentials, the token is acquired under application context. In case of which, the permissions are included in roles claim. The SCP (scope) claim is available only when the token is acquired under user context using OAuth flows such as Authorization Code grant, Implicit Grant, ROPC etc.

When acquiring token under application context, we can only use /.default in the scope parameter. You can NOT specify (Ex: api://<app id>/API.READER) as scope in this case as this is possible only when the access token is acquired under user context. When a scope with /.default is added to the authentication request, all application permissions added and consented, under api permission blade of the application are included in roles claim within the access token.

If you are using OIDC, you typically get an ID token and an access token. Make sure that you're using the access token to authenticate your API requests. The scp claim will be in the access token, not the ID token.

When you're setting up your Web API in Azure AD B2C, you need to ensure that you define scopes that your API will expect.

You should have a scope (like api://{your-api-id}/access_as_user) created for your Web API.

Go to Azure AD B2C > App Registrations > Your Web API > Expose an API, and verify that the scope(s) are defined.

If no scope is defined, the scp claim will not be included in the JWT.
api://{your-api-id}/access_as_user

Ensure that your authorization request includes the correct scope when obtaining the token from Azure AD B2C. If you're using OIDC flow, the scope should be included in the scope parameter when you initiate the authorization request.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

?client_id={client-id}

&response_type=token id_token

&redirect_uri={redirect-uri}

&scope=openid profile {api-scope}

&state=12345

Replace {api-scope} with the scope you defined for your API, like api://{your-api-id}/access_as_user.

If the scope is omitted, the token will not include the scp claim, which is why you're seeing the 401 error.

Try to change the token endpoint to the following:
$tokenEndpoint ="https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy>/oauth2/v2.0/token";

try using the "B2C_1_signupsignin1" user flow, enter what user flows or custom policies are currently available in their B2C tenant.
$tokenEndpoint ="https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_signupsignin1/oauth2/v2.0/token";

If the issue still persists then you can raise a support ticket the team will help you to investigate in detailed.

Best regards,

Sakshi Devkante

Andrew Fraser 136

Sakshi,

Thank you for your comments.

With regards to the scope, I followed the video to create a scope for my API but the scope appears as: https://xxxxx.onmicrosoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/access_as_user, it does not start with api:

I assume when you talk about authorization requests, that is from my web app?

In my web app I have:

        var initialScopes = builder.Configuration[ "API:Scopes" ]?.Split( ' ' );
        builder.Services.AddAuthentication( OpenIdConnectDefaults.AuthenticationScheme )
            .AddMicrosoftIdentityWebApp( options =>
            {
                builder.Configuration.Bind( "AzureAdB2C", options );
                options.Events = new OpenIdConnectEvents
                {
                    OnAuthenticationFailed = async ctxt =>
                    {
                        // They tried to log in but it failed
                        await Task.Yield();
                    },
                    OnSignedOutCallbackRedirect = async ctxt =>
                    {
                        IServiceProvider serviceProvider = ctxt.HttpContext.RequestServices;
                        var uas = serviceProvider.GetService<IUserAuthService>();
                        uas?.ResetClaims();
                        ctxt.HttpContext.Response.Redirect( ctxt.Options.SignedOutRedirectUri );
                        ctxt.HandleResponse();
                        await Task.Yield();
                    },
                    OnTicketReceived = async ctxt =>
                    {
                        if ( ctxt.Principal != null )
                        {
                            if ( ctxt.Principal.Identity is ClaimsIdentity identity )
                            {
                                var colClaims = await ctxt.Principal.Claims.ToDynamicListAsync();
                                IServiceProvider serviceProvider = ctxt.HttpContext.RequestServices;
                                var uas = serviceProvider.GetService<IUserAuthService>();
                                uas?.ApplyClaims( colClaims );
                            }
                        }
                        await Task.Yield();
                    },
                };
            } )
            .EnableTokenAcquisitionToCallDownstreamApi( initialScopes )
            .AddInMemoryTokenCaches();

In my appsettings.json I have:

  "API": {
    "SubscriptionKey": "????????????????????????????????",
    "EndPoint": "https://??????????.azure-api.net",
    "Scopes": "https://???????.onmicrosoft.com/????????-????-????-????-????????????/access_as_user"
  }

In my web app, I have a Login button which calls https://BaseURI/MicrosoftIdentity/Account/SignIn which works for logging into my webapp but causes the 401 as soon as the web app tries to make a call on an API end point.

Accepted answer

Sakshi Devkante 575 Reputation points Microsoft Vendor

2025-02-05T15:24:37.5433333+00:00

Hello @Andrew Fraser

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Azure B2C not generating a scope for API in JWT

Solution: Resolved by @Andrew Fraser by following the below steps

YouTube video explaining the steps and code required to get the API authentication working. For those struggling with Matt's video, check this one out https://www.youtube.com/watch?v=gxPWRq9BteI this video helps in configuring Azure AD B2C authentication for a web app and web API.

Best regards,
Sakshi Devkante
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Andrew Fraser 136 Reputation points

2025-02-03T17:16:52.51+00:00

I have almost given up on this until I found a much better YouTube video explaining the steps and code required to get the API authentication working. For those struggling with Matt's video, check this one out https://www.youtube.com/watch?v=gxPWRq9BteI.

Andy
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure B2C not generating a scope for API in JWT

1 additional answer

Your answer