search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
670 stars 208 forks source link

Microsoft Entra External ID and Swagger #2666

Open andreatosato opened 7 months ago

andreatosato commented 7 months ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.16.1

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I need to setup on Microsoft Entra External ID authentication type, swagger. Swagger not autenticate user, why? It's Microsoft External ID problem?

Reproduction steps

Setup Swagger and configure External ID

Error message

AADB2C90205:+This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation

Id Web logs

No response

Relevant code snippets

builder.Services.AddSwaggerDocument(options =>
 {
     options.AddSecurity("bearer", Enumerable.Empty<string>(), new OpenApiSecurityScheme
     {
         Type = OpenApiSecuritySchemeType.OAuth2,
         Description = "B2C authentication",
         Flow = OpenApiOAuth2Flow.Implicit,
         Flows = new OpenApiOAuthFlows()
         {
             Implicit = new OpenApiOAuthFlow()
             {
                 Scopes = new Dictionary<string, string>
                 {
// I tryed in all formats such as { "https://b2cscdev.onmicrosoft.com/sc_businesslayer/default", "https://b2cscdev.onmicrosoft.com/sc_businesslayer/.default" },
                     { "api://08824a36-8993-4de5-b049-e15198a16786/.default", "api://08824a36-8993-4de5-b049-e15198a16786/.default" },
                 },
                 // or https://b2cscdev.b2clogin.com/b2cscdev.onmicrosoft.com/B2C_1_SignupSignin/oauth2/v2.0/authorize
                 AuthorizationUrl = "https://b2cscdev.ciamlogin.com/b2cscdev.onmicrosoft.com/oauth2/v2.0/authorize", // ?p=B2C_1_SignupSignin
                 TokenUrl = "https://b2cscdev.ciamlogin.com/b2cscdev.onmicrosoft.com/oauth2/v2.0/token"
             },
         }
     });

     options.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor(JwtBearerDefaults.AuthenticationScheme));
 });

Regression

No response

Expected behavior

Work

thangchung commented 3 months ago

I have got the same issue as above, but with @azure/msal-angular and @azure/msal-browser on SPA with authorization code flow + PKCE. I didn't know why. When switched back to https://login.microsoftonline.com/<your tenant-id>, then it worked, but the behaviour of the web was not normal (like logging out but Entra external id was not redirected back to our SPA, despite the configured web URL on Entra external id).