question

solidstore-7495 avatar image
0 Votes"
solidstore-7495 asked ·

How to get multiple access tokens for several web api from one web application - AzureAD B2C

We have a web application which needs authenticated access to several Web APIs. We are using Azure AD B2C for authentication.

We receive an access token, id token, and refresh token for our first web api during login, but we are unable to get a second access token for another webapi.

The web application has given permission to both the webapi in the B2C portal.

The second /token call doesnt fail but the Access token is missing and the scopes are wrong.

Should this be possible?

azure-ad-b2c
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What client library are you using to authenticate with Azure?

0 Votes 0 · ·

I'm using MSAL.NET. But the actual response from the B2C /token endpoint does not contain the Access Token. - see the screenshot below. Today, I tried the same thing with a standard Azure AD directory and it worked - so the problem is with a B2C AD instance.

0 Votes 0 · ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

You cannot use the same authorization code more than once to get the access token for multiple API's. I suggest you can register your web api's as a single application registration with a single redirect url and access to those web api's can be managed using the scopes. You can refer to Tutorial: Grant access to an ASP.NET web API using Azure Active Directory B2C to understand how to configure the API scopes and grant access for them.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We arent using the authorization code more than once. The authorization code is used during the initial login and receives an access token, id token and refresh token. The MSAL library sends the refresh token later on the second /token call for the second resource/api and it should return a new access token for that second api - but it is not, nor does it error either.

I understand I could model all our apis with a single registration and use scopes to manage access, but we also want to add more applications in the future and use a subset of the apis in different combinations.

An old article describes the situation: https://www.cloudidentity.com/blog/2013/10/14/adal-windows-azure-ad-and-multi-resource-refresh-tokens/

Can we get Access tokens for several API from a single Web Application? This is an important question that is blocking our decision to use B2C in our platforms future.

0 Votes 0 · ·

Here is a screenshot from Fiddler of the /token call with grant_type = refresh_token that isnt returning the expected access token 2624-azure-b2c-refreshgrant.png

0 Votes 0 · ·