How can I debug an Azure application that has insufficient B2C permissions?

Question

The Environment

I have an Azure B2C tenant for managing simple username/password sign-up and sign-in, following the example found here: https://github.com/Azure-Samples/active-directory-b2c-javascript-hellojs-singlepageapp

The tenant manages the authentication for a javascript/html application on the front end, and then that front-end application communicates with a WebAPI application on the back-end for its data.

The back-end WebAPI is taken from the example found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

Both applications are registered with the tenant and require authentication in order to work.

What Works

Authentication works great when testing it directly from the Azure portal.

The successful authorize request:

Request URL:https://login.microsoftonline.com/dhzb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SiUpIn&client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&scope=openid&response_type=id_token&prompt=login
Request Method:GET

What Doesn't Work

When attempting to log in via the front-end with the back-end registered in the tenant, I get this:

Correlation ID: 4ac6f519-0949-42e0-96a7-d84d14454bbb
Timestamp: 2017-07-10 23:07:48Z
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.

And the API back-end is never reached.

The unsuccessful authorize request:

Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_cprxketk%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Findex.html%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi
Request Method:GET

What I've Tried

I have tried looking for logs, like a permissions error log, that would tell specifics about the problem, but have found none.

Question

Perhaps there is another place I need to look for logs?

What else can I do?

Authentication error messages are designed to limit the information they provide, so there has to be some way to get greater specificity about the error. What do I not know?

Answer 1

First, this does not answer my original question, so I won't mark this as the answer. I'll let someone else give the real answer, perhaps the correlation id is significant? This answer, however, does solve my problem.

---

In Azure B2C, permissions are called "scopes".

This means that in order for authentication to succeed without the given permissions error, the following is needed:

(1) The back-end application has to publish a scope

(2) The front-end application has to subscribe to that scope

(3) The authorize request has to include the scope in the scope field.

Request URL:https://login.microsoftonline.com/tfp/dhzb2c.onmicrosoft.com/B2C_1_SiUpIn/oauth2/v2.0/authorize?client_id=2bb37577-246c-48a7-b047-2ce2a748dfda&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A65328%2Fredirect.html&state=%7B%22client_id%22%3A%222bb37577-246c-48a7-b047-2ce2a748dfda%22%2C%22network%22%3A%22adB2CSignInSignUp%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_bb3gzjb8%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2Fredirect.html%22%2C%22scope%22%3A%22openid%2Chttps%3A%2F%2Fdhzb2c.onmicrosoft.com%2Ftestb2capi%2Fread%22%2C%22page_uri%22%3A%22http%3A%2F%2Flocalhost%3A65328%2F%22%7D&scope=openid%20https://dhzb2c.onmicrosoft.com/testb2capi/read
Request Method:GET

Note

I think that the name of the scope that you publish does not matter, the only thing that matters is that at least one scope is used.

Answer 2

We had a similar issue with our API authentications. We added a B2C application, published the scope (user_impersonation) and added the API access on itself. Later on, we decided to add a custom domain to our Azure AD and make that the primary domain. All applications we added after that, received the same error (AADB2C90205) upon authorisation. We were able to "debug" what was happening through using the developer tools of the browser (Chrome or Firefox) and watching the "Network" tab, while loading the list of applications. One difference we noticed there, was the array of "identifierUris". The one, which was working had the default https://somestring.onmicrosoft.com/ApiName/ url, while all other applications that did not work hat our custom Uri. Our solution was, to make the default .onmicrosoft.com/ uri the primary again and just add our custom domain.

So in answer to your question: you could use the network traffic logger of your browser to analyse, what goes wrong during authentication. I hope the information in this answer might help other receiving the same error in tracking down solutions of their own.