Aspnetcore.docs: Is there sample for getting aadb2c Access Token for Blazor Server side?

@Alienroid ... Were you able to configure the OpenIdConnectOptions for AAD B2C? ... did you give it a shot to see if you could get the app to authenticate against the provider?

This page (and the github sample)only had for aad. I just found AzureADB2CDefaults, will try that later today.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Thursday, April 2, 2020 7:01:36 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@Alienroidhttps://github.com/Alienroid ... Were you able to configure the OpenIdConnectOptions for AAD B2C? ... did you give it a shot to see if you could get the app to authenticate against the provider?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-607865137, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMRKE3NPNKUP3O52RWTRKSLEBANCNFSM4L2DEJQA.

From template, the authentication is using

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => { Configuration.Bind("AzureAdB2C", options); });

I didn't realize I need to add services.Configure(AzureADB2CDefaults.OpenIdScheme, options =>...

Get Outlook for iOShttps://aka.ms/o0ukef

From: Jason Chen iam31337@hotmail.com
Sent: Thursday, April 2, 2020 7:12:07 AM
To: dotnet/AspNetCore.Docs reply@reply.github.com; dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

This page (and the github sample)only had for aad. I just found AzureADB2CDefaults, will try that later today.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Thursday, April 2, 2020 7:01:36 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@Alienroidhttps://github.com/Alienroid ... Were you able to configure the OpenIdConnectOptions for AAD B2C? ... did you give it a shot to see if you could get the app to authenticate against the provider?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-607865137, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMRKE3NPNKUP3O52RWTRKSLEBANCNFSM4L2DEJQA.

Ah ... I see. I'm just getting into these configurations myself. I'll repro the setup here, get it working, and then enhance that section for B2C.

Here's the reference that I mentioned https://stackoverflow.com/questions/58985388/confused-on-how-to-get-access-tokens-from-b2c-in-blazor-app

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Thursday, April 2, 2020 8:06:44 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Ah ... I see. I'm just getting into these configurations myself. I'll repro the set up here, get it working, and then enhance that section for B2C.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-607903061, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMSFIPTC6DE55PKEAQTRKSSYJANCNFSM4L2DEJQA.

From the stackoverflow I posted earlier, following Oyvind Habberstadhttps://stackoverflow.com/users/3080858/oyvind-habberstad’s answer, I was able to login using OpenId Connect , set breakpoint at OpenIdConnectController.GetUser I was able to get access token on blazor server side

The issue is that using OpenIDConnect this way, we are not using user flow. I could only log in with Microsoft account and not other identity providers.

I’ll try another solution later. But I think it would make sense that following services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)

        .AddAzureADB2C(options => { Configuration.Bind("AzureAdB2C", options); });

We should be able to get access token some easier way. I am new with this whole thing so… it’s possible I am missing something completely.

Maybe what I really should do is after user is authenticated, I just request for a token from endpoint. But I thought auth should return access token as well.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jason Cheniam31337@hotmail.com
Sent: Thursday, April 2, 2020 8:26 AM
To: dotnet/AspNetCore.Docsreply@reply.github.com; dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Here's the reference that I mentioned https://stackoverflow.com/questions/58985388/confused-on-how-to-get-access-tokens-from-b2c-in-blazor-app

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Thursday, April 2, 2020 8:06:44 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Ah ... I see. I'm just getting into these configurations myself. I'll repro the set up here, get it working, and then enhance that section for B2C.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-607903061, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMSFIPTC6DE55PKEAQTRKSSYJANCNFSM4L2DEJQA.

Tried the other solution from that SO link as well as the sample from the Passing tokens to a server-side Blazor applicationhttps://github.com/javiercn/blazor-server-aad-sample.. Neither worked for me. I guess I’ll wait for some official solution. Thanks.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jason Cheniam31337@hotmail.com
Sent: Thursday, April 2, 2020 11:34 AM
To: dotnet/AspNetCore.Docsreply@reply.github.com; dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Mentionmention@noreply.github.com
Subject: RE: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

From the stackoverflow I posted earlier, following Oyvind Habberstadhttps://stackoverflow.com/users/3080858/oyvind-habberstad’s answer, I was able to login using OpenId Connect , set breakpoint at OpenIdConnectController.GetUser I was able to get access token on blazor server side

The issue is that using OpenIDConnect this way, we are not using user flow. I could only log in with Microsoft account and not other identity providers.

I’ll try another solution later. But I think it would make sense that following services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)

        .AddAzureADB2C(options => { Configuration.Bind("AzureAdB2C", options); });

We should be able to get access token some easier way. I am new with this whole thing so… it’s possible I am missing something completely.

Maybe what I really should do is after user is authenticated, I just request for a token from endpoint. But I thought auth should return access token as well.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jason Cheniam31337@hotmail.com
Sent: Thursday, April 2, 2020 8:26 AM
To: dotnet/AspNetCore.Docsreply@reply.github.com; dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Here's the reference that I mentioned https://stackoverflow.com/questions/58985388/confused-on-how-to-get-access-tokens-from-b2c-in-blazor-app

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Thursday, April 2, 2020 8:06:44 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Ah ... I see. I'm just getting into these configurations myself. I'll repro the set up here, get it working, and then enhance that section for B2C.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-607903061, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMSFIPTC6DE55PKEAQTRKSSYJANCNFSM4L2DEJQA.

Ugh! I threw together a quick new Blazor Server app using the VS new project process to take a quick 🏃 look at this issue, and the app failed to fire up. I must have configured it incorrectly somehow. I'll return to this issue shortly ... in a day or two. I'm working on something else right now: I'm working out the scenarios for using AD roles and groups in the hosted scenario. I'll get back to this as soon as I can. 🏃😅

Stocks up! Time to kick back a little

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Monday, April 6, 2020 6:57:17 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Ugh! I threw together a quick new Blazor Server app using the VS new project process to take a quick 🏃 look at this issue, and the app failed to fire up. I must have configured it incorrectly somehow. I'll return to this issue shortly ... in a day or two. I'm working on something else right now: I'm working out the scenarios for using AD roles and groups in the hosted scenario. I'll get back to this as soon as I can. 🏃😅

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-609811143, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMXJBFQHZKNRS7EM4U3RLHNT3ANCNFSM4L2DEJQA.

kick back

Sorry ... At MS, that's _Not a Thing!_:tm: :smile:

I remembered the mini fridge full of beers ;)

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Monday, April 6, 2020 7:00:08 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

kick back

Sorry ... At MS, that's Not a Thing!™️ 😄

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-609812904, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMV27OPPYFANA7YV3WTRLHN6RANCNFSM4L2DEJQA.

I've been struggling with this for a while too.

For me it looks like the problem is in startup - configureServices

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
            {
                options.ResponseType = "code";
                options.SaveTokens = true;
                options.Scope.Add("offline_access");
                options.Scope.Add("{SCOPE}");
                options.Resource = "{RESOURCE}";
            });

I haven't figured out how to even debug this yet, but if this is in my startup as the documentation says I get an error page.
If I remove the code, my accesstoken is empty.

Best bet is to open this scenario with engineering @Alienroid ... and then @kristiangronli can add a :+1: to it.

https://github.com/dotnet/aspnetcore/issues

Add a "cc: @guardrex" to your opening comment, cross-reference this issue, and leave this issue open.

Hi Folks, Very timely thread.
1) This article is VASTLY improved over what it was just a month ago. Thank you. There are some "null exceptions" in the article flow that lead nowhere (like this thread seeks to address) but it is going in the "write" direction.
2) I got Blazor and AAD connected pretty much straight out of the box. Imagine my surprise!
3) I've got B2C working up to actually receiving tokens in my test Blazor app. Pretty sure the problem is in Startup.cs and/or appsettings.json.
4) B2C (and to lesser extent just AAD) require a combination of work in Azure (building and configuring Tenant) and building and configuring Blazor App. I started with this tutorial https://docs.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c?view=aspnetcore-3.1#finish-the-b2c-app-registration (one of the null objects this article could reference). Then I moved on to this tutorial https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. Both are 1.25 years old, and could use a refresh.
5) This topic (and similar ones) need a holistic approach that encompasses all the parts, not just a scattering of the pieces for the reader to string together. I started at with VS project creation --> Azure B2C --> Testing --> User Flow Creation --> Testing --> VS project configuration --> Testing (my testing in this last phase is where I'm currently at, and failing the tests.)
6) Troubleshooting. I made A LOT of mistakes at each step, only to realize sometime later my results didn't fit the tutorial expected results. Troubleshooting guides are helpful "If you get this, then go look at that, that, and that."
7) The tutorials need to address both greenfield projects, and existing projects. I have to solve for both, ASAP.
8) I take copious notes when doing experiments to to make sure they are repeatable. I'll put these into a series of projects on GitHub for all to see, comment, (and yes, please) help make better. lol.

I'll update as results are available.

Thanks for your work in this area. Your notes will be a 🐘 _HUGE_ 🐘 help as I work thru a lot of the same things. I was busy with other priority issues; but now, I'm back to focusing on security. Blazor WASM topics are receiving an update today, and I'll get to Blazor Server shortly. I'll probably take a look at this ... your notes @bdnts ... and another look at Javier's notes at https://gist.github.com/javiercn/62044bab948e42cc9e4e695e4aaee7b8#considerations-with-the-app-id-uri. I need to work out how well or poorly scaffolding is going, and I see the concerns about everything working except SignInManager, which isn't supported in components.

Quick note, I succeeded in getting Blazor Server connected to AAD B2C. I revisited this page, reapplied everything in Pass tokens to a Blazor Server App--which works fine for AAD. But then found https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C, and set services as
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
services.Configure(Configuration.GetSection("AzureAdB2C"));

It worked! OMG it worked! This was definitely The Thing.

Another note, also added;
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
to get comprehensive error messages instead of System.IO.IOException: IDX20807: Unable to retrieve document from: '[PII is hidden. With ShowPII=true, I was able to identify some configuration mistakes in appsetting.json. More tomorrow.

@bdnts is it only for OIDC? because aadb2c also have other login like facebook, Google, and plain email login. As I mentioned earlier, I haven't figure out anyway to use user flow (which is a key feature of aadb2c) to acquire access token.

Get Outlook for iOShttps://aka.ms/o0ukef

From: bdnts notifications@github.com
Sent: Wednesday, April 8, 2020 8:49:52 PM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Quick note, I succeeded in getting Blazor Server connected to AAD B2C. I revisited this page, reapplied everything in Pass tokens to a Blazor Server App--which works fine for AAD. But then found https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C, and set services as
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
services.Configure(Configuration.GetSection("AzureAdB2C"));

It worked! OMG it worked! This was definitely The Thing.

Another note, also added;
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
to get comprehensive error messages instead of System.IO.IOException: IDX20807: Unable to retrieve document from: '[PII is hidden. With ShowPII=true, I was able to identify some configuration mistakes in appsetting.json. More tomorrow.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611312693, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMXWAOB2PQPRIZWFHBDRLVAWBANCNFSM4L2DEJQA.

NtnMaybe I should word it differently.

Using the reference (https://github.com/yberstad/BlazorAuth), I was able to log in using only Microsoft account (all user flow configured in aadb2c was loss). No Facebook, Google or plain email login. This method I was able to acquire access token as I mentioned earlier.

However, scaffolding code from template is using

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => { Configuration.Bind("AzureAdB2C", options); });

Which is great that I can log in using the user flow I defined in my aadb2c, which can login with Microsoft Facebook Google and plain email. The issue is I have no idea how to get access token this way.

If there's way to integrate both, with a reference code from Microsoft, that would be great.

@bdnts how did you get access token

Get Outlook for iOShttps://aka.ms/o0ukef

From: Jason Chen iam31337@hotmail.com
Sent: Wednesday, April 8, 2020 9:11:01 PM
To: dotnet/AspNetCore.Docs reply@reply.github.com; dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@bdnts is it only for OIDC? because aadb2c also have other login like facebook, Google, and plain email login. As I mentioned earlier, I haven't figure out anyway to use user flow (which is a key feature of aadb2c) to acquire access token.

Get Outlook for iOShttps://aka.ms/o0ukef

From: bdnts notifications@github.com
Sent: Wednesday, April 8, 2020 8:49:52 PM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Quick note, I succeeded in getting Blazor Server connected to AAD B2C. I revisited this page, reapplied everything in Pass tokens to a Blazor Server App--which works fine for AAD. But then found https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C, and set services as
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
services.Configure(Configuration.GetSection("AzureAdB2C"));

It worked! OMG it worked! This was definitely The Thing.

Another note, also added;
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
to get comprehensive error messages instead of System.IO.IOException: IDX20807: Unable to retrieve document from: '[PII is hidden. With ShowPII=true, I was able to identify some configuration mistakes in appsetting.json. More tomorrow.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611312693, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMXWAOB2PQPRIZWFHBDRLVAWBANCNFSM4L2DEJQA.

See https://github.com/javiercn/blazor-server-aad-sample for details on how to do this. It is the same for Azure ADB2C.

@guardrex Is there a separate issue tracking this doc? (I believe I filed one) if not, either repurpose this with the provided content or close this and point to the other one.

What is the options.Resource = "<>";

I'll try this again. I think last time I ran this sample, it only load the Microsoft account during login and not the other (Facebook, Google or plain email)

Get Outlook for iOShttps://aka.ms/o0ukef

From: Javier Calvarro Nelson notifications@github.com
Sent: Thursday, April 9, 2020 1:34:45 AM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

See https://github.com/javiercn/blazor-server-aad-sample for details on how to do this. It is the same for Azure ADB2C.

@guardrexhttps://github.com/guardrex Is there a separate issue tracking this doc? (I believe I filed one) if not, either repurpose this with the provided content or close this and point to the other one.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611405255, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMTNFGL7J7AC43RODFLRLWCCLANCNFSM4L2DEJQA.

Gee whiz, you guys work crazy hours like I do. I'm in PDT about ready to call it a night.

Answers to some of the questions above: I'm building an end-to-end vertical stack of AAD, B2C, Blazor, Email sign-in. Once I can get that done and working, then I'll see about going horizontal with the other identity connectors.

For @javiercn I actually found some differences AAD and AADB2C. There is a treasure map doc I found (see below) that tackles B2C, and I mashed that work up with this document. That is how I got my first project working.

I just checked in all my work to date on BlazorADB2C in GitHuB, for you guys to look at (and laugh at) since you're awake. I think I have a corruption in the key store, because this version is not working right, but is identical to my working project. Azure configs is matching original also. But I wanted to give you visibility to help you along. I'll get the Readme.Md and notes in tomorrow.

Here is the material I've been using to pull all this together:

• Azure Active Directory B2C documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/
• Secure ASP.NET Core Blazor Server apps: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/server?view=aspnetcore-3.1&tabs=visual-studio
• Get started with ASP.NET Core Blazor: https://docs.microsoft.com/en-us/aspnet/core/blazor/get-started?view=aspnetcore-3.1&tabs=visual-studio
• Tutorial - Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-aspnetcore-webapp-openidconnect-v2/enable-webapp-signin/
  
  
  
  • This last entry is a treasure map of Microsoft Identity.
  
  
  • Just remember treasures are booby trapped.
  
  

Start with the Aure Active Directory B2C docs.
If you want to explore code, go to the treasure map, and Sample 1-5, https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C Is the nearest I could find for Blazor.

Laters

I was in bed until Javier send that email. 3 hrs later, I am still up. This is more of a fun thing for me to really learn this.

Just checked out your profile. I grew up in Vancouver BC too 😉

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: bdntsnotifications@github.com
Sent: Thursday, April 9, 2020 3:33 AM
To: dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Alienroidiam31337@hotmail.com; Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Gee whiz, you guys work crazy hours like I do. I'm in PDT about ready to call it a night.

Answers to some of the questions above: I'm building an end-to-end vertical stack of AAD, B2C, Blazor, Email sign-in. Once I can get that done and working, then I'll see about going horizontal with the other identity connectors.

For @javiercnhttps://github.com/javiercn I actually found some differences AAD and AADB2C. There is a treasure map doc I found (see below) that tackles B2C, and I mashed that work up with this document. That is how I got my first project working.

I just checked in all my work to date on BlazorADB2C in GitHuB, for you guys to look at (and laugh at) since you're awake. I think I have a corruption in the key store, because this version is not working right, but is identical to my working project. Azure configs is matching original also. But I wanted to give you visibility to help you along. I'll get the Readme.Md and notes in tomorrow.

Here is the material I've been using to pull all this together:

• Azure Active Directory B2C documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/
• Secure ASP.NET Core Blazor Server apps: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/server?view=aspnetcore-3.1&tabs=visual-studio
• Get started with ASP.NET Core Blazor: https://docs.microsoft.com/en-us/aspnet/core/blazor/get-started?view=aspnetcore-3.1&tabs=visual-studio
• Tutorial - Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-aspnetcore-webapp-openidconnect-v2/enable-webapp-signin/
  
  
  
  • This last entry is a treasure map of Microsoft Identity.
  
  
  • Just remember treasures are booby trapped.
  
  

Start with the Aure Active Directory B2C docs.
If you want to explore code, go to the treasure map, and Sample 1-5, https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C Is the nearest I could find for Blazor.

Laters

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611456448, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMSP44WPIHDLUCP2RYDRLWP5ZANCNFSM4L2DEJQA.

Javier is GOD!

Using his sample, I changed the following:

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

Scope need to add:
options.Scope.Add("https://{domain}.onmicrosoft.com/api/demo.read");

I left out resource since I have no idea what’s that from documentation nor code.

I was able to get the access token.

One side note. His sample code have options.Scope.Add(“offline_access”);

I made the mistake of thinking I only need to add “demo.read” instead of the whole path. Adding the whole path solved my issue. Again, this is not documented? I just happen to read some code that doesn’t work on SO who had this line somewhere.

Time for bed. Thanks everyone.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jason Cheniam31337@hotmail.com
Sent: Thursday, April 9, 2020 3:38 AM
To: dotnet/AspNetCore.Docsreply@reply.github.com; dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Mentionmention@noreply.github.com
Subject: RE: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

I was in bed until Javier send that email. 3 hrs later, I am still up. This is more of a fun thing for me to really learn this.

Just checked out your profile. I grew up in Vancouver BC too 😉

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: bdntsnotifications@github.com
Sent: Thursday, April 9, 2020 3:33 AM
To: dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Alienroidiam31337@hotmail.com; Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Gee whiz, you guys work crazy hours like I do. I'm in PDT about ready to call it a night.

Answers to some of the questions above: I'm building an end-to-end vertical stack of AAD, B2C, Blazor, Email sign-in. Once I can get that done and working, then I'll see about going horizontal with the other identity connectors.

For @javiercnhttps://github.com/javiercn I actually found some differences AAD and AADB2C. There is a treasure map doc I found (see below) that tackles B2C, and I mashed that work up with this document. That is how I got my first project working.

I just checked in all my work to date on BlazorADB2C in GitHuB, for you guys to look at (and laugh at) since you're awake. I think I have a corruption in the key store, because this version is not working right, but is identical to my working project. Azure configs is matching original also. But I wanted to give you visibility to help you along. I'll get the Readme.Md and notes in tomorrow.

Here is the material I've been using to pull all this together:

• Azure Active Directory B2C documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/
• Secure ASP.NET Core Blazor Server apps: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/server?view=aspnetcore-3.1&tabs=visual-studio
• Get started with ASP.NET Core Blazor: https://docs.microsoft.com/en-us/aspnet/core/blazor/get-started?view=aspnetcore-3.1&tabs=visual-studio
• Tutorial - Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-aspnetcore-webapp-openidconnect-v2/enable-webapp-signin/
  
  
  
  • This last entry is a treasure map of Microsoft Identity.
  
  
  • Just remember treasures are booby trapped.
  
  

Start with the Aure Active Directory B2C docs.
If you want to explore code, go to the treasure map, and Sample 1-5, https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C Is the nearest I could find for Blazor.

Laters

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611456448, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMSP44WPIHDLUCP2RYDRLWP5ZANCNFSM4L2DEJQA.

@javiercn ... Yes, you did at https://github.com/dotnet/AspNetCore.Docs/issues/17221, and it was worked on https://github.com/dotnet/AspNetCore.Docs/pull/17420. The content is here :point_right: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/server?view=aspnetcore-3.1&tabs=visual-studio#pass-tokens-to-a-blazor-server-app

... I simply haven't had time to try it myself. If there's nothing else to say, I'll close this when I check it out.

We obviously don't need full topics to cover different provider scenarios, but we might need different provider sections in the Blazor Server topic if there's anything specific to say about the scenarios.

I'm still struggling with errors on this.
Following the instructions from @javiercn and following @Alienroid I end up with:

``

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

services.Configure(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Add("offline_access");
options.Scope.Add("https://**.onmicrosoft.com/api/read");
});

Running this code I end up with: Error.
An error occurred while processing your request

if I comment out //options.ResponseType = "code";
I can still sign in as usual, but my token and TokenProvider object is still null?

I've uploaded my work in progress here: https://github.com/kristiangronli/AppsConfiguredWithB2C

@kristiangronlinotifications@github.com

I forgot to mention, I changed the options.ResponseType = “code id_token”;

If you only have code, you’ll get some message saying it’s expecting both id token and access token.
Also, make sure your domain defined ‘api’ and your scope is defined ‘read’ in AADB2C

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: kristiangronlinotifications@github.com
Sent: Thursday, April 9, 2020 9:00 AM
To: dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Alienroidiam31337@hotmail.com; Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

I'm still struggling with errors on this.
Following the instructions from @javiercnhttps://github.com/javiercn and following @Alienroidhttps://github.com/Alienroid I end up with:

``

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

services.Configure(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Add("offline_access");
options.Scope.Add("https://**.onmicrosoft.com/api/read");
});

Running this code I end up with: Error.
An error occurred while processing your request

if I comment out //options.ResponseType = "code";
I can still sign in as usual, but my token and TokenProvider object is still null?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611607874, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMRU62KDSG2FFWHF6N3RLXWIFANCNFSM4L2DEJQA.

@Alienroid Thank you - I still get the same error message even if I changed the options.ResponseType = “code id_token”.
Can you possibly take a quick look at my code and see if it it different from yours?
https://github.com/kristiangronli/AppsConfiguredWithB2C/blob/master/BlazorServerApp/Startup.cs

Not sure it matters,

But in the AzureAdB2C Instance, I have it end in …b2clogin.com/tfp/

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: kristiangronlinotifications@github.com
Sent: Thursday, April 9, 2020 10:10 AM
To: dotnet/AspNetCore.DocsAspNetCore.Docs@noreply.github.com
Cc: Alienroidiam31337@hotmail.com; Mentionmention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@Alienroidhttps://github.com/Alienroid Thank you - I still get the same error message even if I changed the options.ResponseType = “code id_token”.
Can you possibly take a quick look at my code and see if it it different from yours?
https://github.com/kristiangronli/AppsConfiguredWithB2C/blob/master/BlazorServerApp/Startup.cs

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-611643342, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMRYLDCXFMKVQTVYSVLRLX6R3ANCNFSM4L2DEJQA.

Howdy. So found a post by Steve Sanderson, July, 2019, says the Blazor template works "out of the box" with ADB2C. Well, he's right! I re-worked my BlazorAdB2C project from scratch, and it works just fine. Still have a LOT of testing to do, questions work out, but it is a stepping stone. I've put my notes into the Readme.md, in which GitHub stripped supposedly legal html, so formatting is off.
Otherwise, Cheers

This will be for tomorrow ... Tuesday ... or Wednesday ... we'll see. I've been working on other issues and still have two more things to resolve before hitting an inevitable CoreBrainFry!:tm: 🧠🔥😵🚒.

EDIT Yes, perhaps Wednesday .... maybe .... if possible.

EDIT TODAY! ... I'll be working on this today, Wednesday, 4/22.

@Alienroid In your work with this scenario (B2C with signin and access token), did you ever hit ...

OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.

If so, how did you address it?

Yes. You need to add 'code'

options.ResponseType = “code id_token”;

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Wednesday, April 29, 2020 2:00:20 PM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@Alienroidhttps://github.com/Alienroid In your work with this scenario (B2C with signin and access token), did you ever hit ...

OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.

If so, how did you address it?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-621461092, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMTNZ64I2MLKLOP62H3RPCIOJANCNFSM4L2DEJQA.

This is my notes: I posted April 9th:

Using his sample, I changed the following:
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
Scope need to add:
options.Scope.Add("https://{domain}.onmicrosoft.com/api/demo.read");
I left out resource since I have no idea what’s that from documentation nor code.
I was able to get the access token.
One side note. His sample code have options.Scope.Add(“offline_access”);
I made the mistake of thinking I only need to add “demo.read” instead of the whole path. Adding the whole path solved my issue. Again, this is not documented? I just happen to read some code that doesn’t work on SO who had this line somewhere.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Jason Chen iam31337@hotmail.com
Sent: Wednesday, April 29, 2020 2:23:01 PM
To: dotnet/AspNetCore.Docs reply@reply.github.com; dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

Yes. You need to add 'code'

options.ResponseType = “code id_token”;

Get Outlook for iOShttps://aka.ms/o0ukef

From: Luke Latham notifications@github.com
Sent: Wednesday, April 29, 2020 2:00:20 PM
To: dotnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Alienroid iam31337@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [dotnet/AspNetCore.Docs] Is there sample for getting aadb2c Access Token for Blazor Server side? (#17578)

@Alienroidhttps://github.com/Alienroid In your work with this scenario (B2C with signin and access token), did you ever hit ...

OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.

If so, how did you address it?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/17578#issuecomment-621461092, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH3FBMTNZ64I2MLKLOP62H3RPCIOJANCNFSM4L2DEJQA.

I think I have most of that covered. I'm trying to perform a Graph API call. I have it working for AAD, and I have the topic updates ready for that scenario. I'm just stuck with my AAD B2C config for the same setup.

AFAIK, Resource goes away with v2.0 endpoints. Resource is literally just that ... the resource that must match what the token is being used to get. In my case (in the AAD sample) it's the Graph API URI of https://graph.microsoft.com; but in the AAD B2C app with v2.0 endpoints, I've removed that line.

My config goes like this (fake data shown) ...

"AzureAdB2C": {
  "Instance": "https://contoso.b2clogin.com/tfp/",
  "ClientId": "797a0993-aa8d-45f0-960a-e38e7b9a7a92",
  "CallbackPath": "/signin-oidc",
  "Domain": "contoso.onmicrosoft.com",
  "SignUpSignInPolicyId": "B2C_1_signupsignin1",
  "ResetPasswordPolicyId": "B2C_1_passwordreset1",
  "EditProfilePolicyId": "B2C_1_EditProfile",
  "ClientSecret": "hDj8v.vgb1A4S.8z]-=BOtyG8XmMtQ6L"
},

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
    .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    options.SaveTokens = true;
    options.Scope.Add("https://graph.microsoft.com/offline_access");
    options.Scope.Add("https://graph.microsoft.com/openid");
    options.Scope.Add("https://graph.microsoft.com/Organization.Read.All");
});

... and that's very similar to my working AAD use case. It barfs up that error tho. If I change the ResponseType to just id_token (OpenIdConnectResponseType.IdToken) or delete it (that's the default), then the app fires right up and logs the user in. Of course, I don't get an access token that way ... it needs the code flow.

The working :tada: AAD use case goes like this (again, fake data here that will be used in the topic later) ...

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "contoso.onmicrosoft.com",
  "TenantId": "0bb2b57d-ced6-4486-a27e-97ae1e890343",
  "ClientId": "ebf968f8-b368-401d-8efe-c11feebb686b",
  "CallbackPath": "/signin-oidc",
  "ClientSecret": "hDj8v.vgb1A4S.8z]-=BOtyG8XmMtQ6L"
}

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.SaveTokens = true;

    options.Scope.Add("https://graph.microsoft.com/Organization.Read.All");
    options.Scope.Add("https://graph.microsoft.com/offline_access");
    options.Resource = "https://graph.microsoft.com";
});

... note the Resource is present here because this uses the v1.0 endpoints. If you add a /v2.0 segment to the end of the Authority, you can drop the Resource.

... and that ✨ _Just Works!_:tm: ✨, so I think my B2C app isn't too far off.

We've mostly resolved the issue here. The patterns shown for access tokens are correct AFAIK. I still think I have a minor hiccup here with Hosted B2C + an API + a separate Graph API call; however, I'm going to look at that closer after all of the framework bits move to v2.0.