I also have an Azure AD tenant (Tenant 1) with an application registered that is providing authentication for a Web API in the same tenant.
I have a web application that I want to support user signup/signin and registration via Azure B2C (Tenant 2) that needs to call the Web API in Tenant 1.
I have both of these applications setup as multi-tenant. I cannot seem to figure out how to configure my applications and successful make the call to the API.
Web App Settings:
"AzureAd": {
"Instance": "https://myb2cInstance.b2clogin.com",
"Domain": "myb2cInstance.onmicrosoft.com",
"ClientId": "<Client ID of Web App in Tenant 2>",
"ClientSecret": "<Client Secret of Web App in Tenant 2>",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"SignUpSignInPolicyId": "b2c_1_susi",
"ResetPasswordPolicyId": "b2c_1_reset",
"EditProfilePolicyId": "b2c_1_edit_profile",
"CallbackPath": "/signin-oidc"
},
"TodoList": {
"TodoListAppId": "<Application ID of Web API in Tenant 1>",
"TodoListScope": "api://MyAPI/.default",
"TodoListBaseAddress": "https://localhost:44351",
"AdminConsentRedirectApi": "https://localhost:44351/api/Home"
}
Startup Config of Web App:
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
.AddInMemoryTokenCaches();
API App Settings:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<Domain of Tenant 1>",
"TenantId": "common",
"ClientId": "<Client ID of Tenant 1>"
}
Startup Config of API:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
Trying to sign in, I get this error: "Message contains error: 'invalid_request', error_description: 'AADB2C90117: The scope 'api://ApiTestApp/.default' provided in the request is not supported."
If I remove the EnableTokenAcquisitionToCallDownstreamApi
, I can successfully sign in.
I have not found a way to add the API app in Tenant 1 as a permission to the web app in Tenant 2.
Is there anything I am missing? Is this even possible?