AzureADB2C keep getting 403

[stephen776]

I've got an app setup using Azure AD B2C. I followed the sample and video for guidance.

I am able to log in, get a valid JWT, but when I try to call one of my API endpoints I get the following:

Authorization failed. These requirements were not met:
2022-06-29T01:08:32.405563799Z AuthPermissions.AspNetCore.PolicyCode.PermissionRequirement
2022-06-29T01:08:32.405568549Z AuthPermissions.AspNetCore.PolicyCode.PermissionRequirement
2022-06-29T01:08:32.406011924Z [01:08:32 INF] AuthenticationScheme: Bearer was forbidden.

I'm having trouble determining if this is an issue with my Permissions Enum setup, my internal user setup, or something to do with the JWT coming from B2C

If I inspect the JWT I do see the correct oid claim

I have seeded a user on the AuthP side in my asp.net core app with the correct userId.

I have given this user a "SuperAdmin" role which correctly is mapped to have a single "SuperAdmin" permission from enum.

Any ideas?

[JonPSmith]

The message "Authorization failed. These requirements were not met:" isn't a AuthP message and it sounds like ASP.NET Core is saying that the authorization isn't set up properly (that's a guess, but looks that way). It could be something about the Azure AD B2C setup in Azure, as I didn't describe that, so worth looking at that.

The AzureAD example (Example5) is runnable so you can try that, but it uses cookies, not JWT. I recently updated (2 weeks ago) Example5 with version 3.3.0 but this doesn't change the approach so I'm not saying it will fix anything for you. But you might like to look at what I call a AddNewUserManager for AzureAD - read this article on why I did this.

Sorry I haven't an answer, but knowing its not something about the Permissions Enum helps. All the best.

[stephen776]

Yes, this is helpful. Thank you!

…

On Jun 29, 2022 at 5:13 AM, <Jon P Smith ***@***.***)> wrote: The message "Authorization failed. These requirements were not met:" isn't a AuthP message and it sounds like ASP.NET Core is saying that the authorization isn't set up properly (that's a guess, but looks that way). It could be something about the Azure AD B2C setup, as I didn't describe that, so worth looking at that. The AzureAD example (Example5) is runnable so you can try that, but it uses cookies, not JWT. I recently updated (2 weeks ago) Example5 with version 3.3.0 but this doesn't change the approach so I'm not saying it will fix anything for you. But you might like to look at what I call a AddNewUserManager for AzureAD (https://github.com/JonPSmith/AuthPermissions.AspNetCore/blob/main/AuthPermissions.SupportCode/AddUsersServices/Authentication/AzureAdNewUserManager.cs) - read this article (https://www.thereformedprogrammer.net/three-ways-to-securely-add-new-users-to-an-application-using-the-authp-library/) on why I did this. Sorry I haven't an answer, but knowing its not something about the Permissions Enum helps. All the best. — Reply to this email directly, view it on GitHub (#52 (comment)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AAEJ7L2I6ZICWVTEJQDYYX3VRQHTTANCNFSM52EATNLA). You are receiving this because you authored the thread.Message ID: ***@***.***>

[stephen776]

Ok, so I’ve gotten a bit further. I have confirmed that this is indeed related somehow to AuthP If I disable all of the AuthP config and remove the HasPermission attribute from my Endpoint, I can successfully make the request. I can add the asp.net Authorize attribute so I’m certain my B2C token is correct and is being validated (I get 401s if I exclude the token) It’s only when I have the HasPermission attr protecting a controller that I get the 403 response. I have checked the DB and my user is setup with the correct role and RoleToPermission. Is there anyway I can enable some better logging or debugging?

…

On Jun 29, 2022 at 5:13 AM, <Jon P Smith ***@***.***)> wrote: The message "Authorization failed. These requirements were not met:" isn't a AuthP message and it sounds like ASP.NET Core is saying that the authorization isn't set up properly (that's a guess, but looks that way). It could be something about the Azure AD B2C setup, as I didn't describe that, so worth looking at that. The AzureAD example (Example5) is runnable so you can try that, but it uses cookies, not JWT. I recently updated (2 weeks ago) Example5 with version 3.3.0 but this doesn't change the approach so I'm not saying it will fix anything for you. But you might like to look at what I call a AddNewUserManager for AzureAD (https://github.com/JonPSmith/AuthPermissions.AspNetCore/blob/main/AuthPermissions.SupportCode/AddUsersServices/Authentication/AzureAdNewUserManager.cs) - read this article (https://www.thereformedprogrammer.net/three-ways-to-securely-add-new-users-to-an-application-using-the-authp-library/) on why I did this. Sorry I haven't an answer, but knowing its not something about the Permissions Enum helps. All the best. — Reply to this email directly, view it on GitHub (#52 (comment)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AAEJ7L2I6ZICWVTEJQDYYX3VRQHTTANCNFSM52EATNLA). You are receiving this because you authored the thread.Message ID: ***@***.***>

[JonPSmith]

I'm not sure what that is about, but the other messages are:

2022-06-29T01:08:32.405563799Z AuthPermissions.AspNetCore.PolicyCode.PermissionRequirement
2022-06-29T01:08:32.405568549Z AuthPermissions.AspNetCore.PolicyCode.PermissionRequirement
2022-06-29T01:08:32.406011924Z [01:08:32 INF] AuthenticationScheme: Bearer was forbidden.

The last line AuthenticationScheme: Bearer was forbidden. seems to say that the Authentication Scheme isn't set up.

Can you supply your AuthP registration code in your Program class for me to look at. NOTE: Please manually create a GitHub comment and put the code within three ` . e.g.

var x = 1;

[stephen776]

Here's my configuration.

I am also wondering if for some reason the right claims aren't being parsed from the B2C access token? It's almost as if the token gets validated but it can't get matched up with the AuthP user. I'm wondering if maybe i need to tell authP to look for differnt claims?

Or maybe I don't have the correct claims set on the token? Can you tell me what claims AuthP is looking for?

[stephen776]

Ok so I checked and I do have what I believe to have the proper oid claim on my token. It matches the user ID in the B2C dashboard. And that ID matches the user I've seeded into the AuthP tables

[stephen776]

Some additional info:

Through debugging I was able to determine that this OnTokenValidated event never gets called:

For reference, here is how I am configuring my authentication:

This extension method is from the Microsoft.Identity.Web namespace. It's just calling AddAuthentication and AddMicrosoftIdentityWebApi under the hood - it specifies JwtBearerDefaults.AuthenticationScheme as the scheme.

I've updated my code above to use JwtBearerDefaults.AuthenticationScheme in the AzureAdEventSettings.AzureDefaultSettings()` call as such:

But the problem still persists. The AuthP OnTokenValidated event is never called and thus I assume the appropriate AuthP related claims never get added to the Principal which ultimately leades to my 403

[JonPSmith]

Thanks for all of that. The problem is you have selected JWT Bearer authentication but you haven't set up the JWT Bearer in AuthP - see Example 2 on how you do that. That is required to set up the claims in the JWT Bearer.

[stephen776]

Thanks for the response but I'm a little confused as to which parts of the example are relevant.

my call to builder.Services.AddMicrosoftIdentityWebApiAuthentication(configuration); should be taking care of setting up the auth pipeline to validate the JWT that I get from AzureADB2C.

Which part of the exapmle tells AuthP about the claims? I was under the impression that I wouldn't need to utilize the AuthP JWT/RefreshToken features because my tokens are supplied by AzureAD

[stephen776]

I was poking around the wiki and examples some more but I still feel like I’m missing something regarding how to use AD w/ JWT

[JonPSmith]

I found an Microsoft article which shows how to use Azure AD with ASP.NET Core Web API application. This explains what you need to do to turn the claims from Azure AD into a Bearer Token. I suggest you get working first.

If you then want to use the AuthP library then when you select AzureAdAuthentication the event code will add the AuthP claims for the logging in user. You also need to create a AuthP user that is linked to a Azure AD user. There are various ways to to you this - the simplest is the sync users approach, but I cover the pros/cons of the possible approaches in this article.

[stephen776]

Yes, as I showed above I have a valid bearer token from Azure AD and it’s validated properly in my web api. The part that does not work is the logic within the `AzureAdAuthentication` OnTokenValidated event. It never even gets called so the AuthP claims never get added. I also have a valid user synced to my AuthP db table for the purpose of my testing.

…

On Jul 3, 2022 at 3:56 AM, <Jon P Smith ***@***.***)> wrote: I found an Microsoft article (https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration) which shows how to use Azure AD with ASP.NET Core Web API application. This explains what you need to do to turn the claims from Azure AD into a Bearer Token. I suggest you get working first. If you then want to use the AuthP library then when you select AzureAdAuthentication the event code will add the AuthP claims for the logging in user. You also need to create a AuthP user that is linked to a Azure AD user. There are various ways to to you this - the simplest is the sync users approach (https://github.com/JonPSmith/AuthPermissions.AspNetCore/wiki/AuthUser-admin-service#synchronizing-the-authusers), but I cover the pros/cons of the possible approaches in this article (https://www.thereformedprogrammer.net/three-ways-to-securely-add-new-users-to-an-application-using-the-authp-library/). — Reply to this email directly, view it on GitHub (#52 (reply in thread)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AAEJ7L2IIU76OLR6A7LTDW3VSFBTJANCNFSM52EATNLA). You are receiving this because you authored the thread.Message ID: ***@***.***>

[JonPSmith]

Its clear that Azure AD with Bearer Token works a different way. You will need to build some code to alter data sent to the Bearer Token as there isn't an adapter in AuthP for this situation.

[stephen776]

Thanks. I did figure this out yesterday. I’ll follow up with my solution in case it’s of interest to anyone.

…

On Jul 4, 2022 at 10:40 AM, <Jon P Smith ***@***.***)> wrote: Its clear that Azure AD with Bearer Token works a different way. You will need to build some code to alter data sent to the Bearer Token as there isn't an adapter in AuthP for this situation. — Reply to this email directly, view it on GitHub (#52 (reply in thread)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AAEJ7L3STO5VGNSBHE4VEVDVSLZWDANCNFSM52EATNLA). You are receiving this because you authored the thread.Message ID: ***@***.***>

[ElMikosch]

Hey @stephen776, is there any way you can share your solution?