I have an Azure B2C tenant for managing simple username/password sign-up and sign-in, following the example found here: https://github.com/Azure-Samples/active-directory-b2c-javascript-hellojs-singlepageapp
The tenant manages the authentication for a javascript/html application on the front end, and then that front-end application communicates with a WebAPI application on the back-end for its data.
The back-end WebAPI is taken from the example found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
Both applications are registered with the tenant and require authentication in order to work.
Authentication works great when testing it directly from the Azure portal.
The successful authorize request:
Request URL:https://login.microsoftonline.com/dhzb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SiUpIn&client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&scope=openid&response_type=id_token&prompt=login
Request Method:GET
When attempting to log in via the front-end with the back-end registered in the tenant, I get this:
Correlation ID: 4ac6f519-0949-42e0-96a7-d84d14454bbb
Timestamp: 2017-07-10 23:07:48Z
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
And the API back-end is never reached.
The unsuccessful authorize request:
Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_cprxketk%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Findex.html%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi
Request Method:GET
I have tried looking for logs, like a permissions error log, that would tell specifics about the problem, but have found none.
Perhaps there is another place I need to look for logs?
What else can I do?
Authentication error messages are designed to limit the information they provide, so there has to be some way to get greater specificity about the error. What do I not know?
Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method. Your application needs to handle certain errors coming from Azure B2C service.
This answer, however, does solve my problem. In Azure B2C, permissions are called "scopes". This means that in order for authentication to succeed without the given permissions error, the following is needed: (3) The authorize request has to include the scope in the scope field.
Your application needs to handle certain errors coming from Azure B2C service. This article highlights some of the common errors and how to handle them. This error occurs when the self-service password reset experience isn't enabled in a user flow. Thus, selecting the Forgot your password? link doesn't trigger a password reset user flow.
Azure AD B2C service can also return an error to your application when a user cancels an operation. The following are examples of scenarios where a user performs a cancel operation: A user policy uses the recommended self service password resect (SSPR) experience with a consumer local account.
First, this does not answer my original question, so I won't mark this as the answer. I'll let someone else give the real answer, perhaps the correlation id is significant? This answer, however, does solve my problem.
In Azure B2C, permissions are called "scopes".
This means that in order for authentication to succeed without the given permissions error, the following is needed:
scope
field.Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_bb3gzjb8%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%2Fread%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2F%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi/read
Request Method:GET
I think that the name of the scope that you publish does not matter, the only thing that matters is that at least one scope is used.
We had a similar issue with our API authentications. We added a B2C application, published the scope (user_impersonation) and added the API access on itself. Later on, we decided to add a custom domain to our Azure AD and make that the primary domain. All applications we added after that, received the same error (AADB2C90205) upon authorisation. We were able to "debug" what was happening through using the developer tools of the browser (Chrome or Firefox) and watching the "Network" tab, while loading the list of applications. One difference we noticed there, was the array of "identifierUris". The one, which was working had the default https://somestring.onmicrosoft.com/ApiName/
url, while all other applications that did not work hat our custom Uri. Our solution was, to make the default .onmicrosoft.com/ uri the primary again and just add our custom domain.
So in answer to your question: you could use the network traffic logger of your browser to analyse, what goes wrong during authentication. I hope the information in this answer might help other receiving the same error in tracking down solutions of their own.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With