question

kobulloc-MSFT avatar image
0 Votes"
kobulloc-MSFT asked ·

[MSDN Redirect] AAD B2C Web App Authentication

Hey all,

Newbie programmer here. Helping a client of mine set up AAD B2C to authenticate an ASP.NET Web App (C#) hosted inside App Service. It's a pretty static site that doesn't have to make any Web API calls, so I figure

His goal is to have his users authenticate with an OTP. I followed the official documentation to register the app, set up the SUSI, SSPR, and Profile Editing user flows, and uploaded custom policies from the Custom Policies Starter Pack. And to get started on the web app, I used snippets from https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi.git. Since the App doesn't need to make any calls to a Web API, I basically commented out anything that referenced the API app (like TaskServiceURL).

Initially in the B2C tenant, I put the redirect URI as https://azureb2capp-test.azurewebsites.net/. This led directly to the website without prompting for authentication. Below is a snippet of the initial web.config:

 <add key="ida:Tenant" value="DistCompliance.onmicrosoft.com"/>
 <add key="ida:TenantId" value="113b6b7c-44c1-41e4-96f5-70773a102689"/>
 <add key="ida:ClientId" value="e04ee585-e9c1-4bcd-881e-a9619e3bf83e"/>
 <add key="ida:ClientSecret" value="redacted"/>
 <add key="ida:AadInstance" value="https://DistCompliance.b2clogin.com/tfp/{0}/{1}"/>
 <add key="ida:SignUpSignInPolicyId" value="B2C_1A_SignUpOrSignInWithPhoneOrEmail"/>
 <add key="ida:EditProfilePolicyId" value="B2C_1A_ProfileEditPhoneEmail"/>
 <add key="ida:ResetPasswordPolicyId" value="B2C_1A_PasswordResetEmail"/>
 <add key="ida:RedirectUri" value="https://azureb2capp-test.azurewebsites.net/"/>
 <!-- add key="api:TaskServiceUrl" value="https://azureb2capp-test.azurewebsites.net/"/>
 

I then changed the Redirect URI in web.config to "https://distcompliance.b2clogin.com/DistCompliance.onmicrosoft.com/oauth2/authresp"; and matched it in the B2C tenant:

 <add key="ida:Tenant" value="DistCompliance.onmicrosoft.com"/>
 <add key="ida:TenantId" value="113b6b7c-44c1-41e4-96f5-70773a102689"/>
 <add key="ida:ClientId" value="e04ee585-e9c1-4bcd-881e-a9619e3bf83e"/>
 <add key="ida:ClientSecret" value="redacted"/>
 <add key="ida:AadInstance" value="https://DistCompliance.b2clogin.com/tfp/{0}/{1}"/>
 <add key="ida:SignUpSignInPolicyId" value="B2C_1A_SignUpOrSignInWithPhoneOrEmail"/>
 <add key="ida:EditProfilePolicyId" value="B2C_1A_ProfileEditPhoneEmail"/>
 <add key="ida:ResetPasswordPolicyId" value="B2C_1A_PasswordResetEmail"/>
 <add key="ida:RedirectUri" value="https://distcompliance.b2clogin.com/DistCompliance.onmicrosoft.com/oauth2/authresp"/>
 <!-- add key="api:TaskServiceUrl" value="https://azureb2capp-test.azurewebsites.net/"/>

This directed me to a login page, but after authentication, I get a 404. Am I doing something wrong or out of order? And how can I figure out if it's something that went wrong with my B2C setup, or if it's a problem with the application logic itself?

[Source]: https://social.msdn.microsoft.com/Forums/en-US/4bae71df-f338-4e6f-9d57-79995723f6ac/aad-b2c-web-app-authentication?forum=azureappconfiguration

azure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@kobulloc-MSFT

The URL has to be the application URL which is https://azureb2capp-test.azurewebsites.net/ in your case. The URL https://distcompliance.b2clogin.com/DistCompliance.onmicrosoft.com/oauth2/authresp, is used by exertnal IDPs such as Facebook, Google, another Azure AD tenant etc. to redirect back to Azure AD B2C once the the authentication is performed by those IDPs.

I tried accessing https://azureb2capp-test.azurewebsites.net/ from my computer and I got redirected to B2C authentication page. May be in your case it is performing SSO using cookies. Please try accessing this url with a browser in in-private/incognito mode.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your answer makes sense to me, but unfortunately I'm still running into issues. Under my current config I'm getting a 404 after authenticating, even when I do it on different machines. When I changed it back to the .azurewebsites.net, it completely bypassed the authentication altogether.

Should I be looking at startup.cs instead of web.config?

0 Votes 0 · ·

@SamHai-8098 With your current configuration, 404 is expected as https://distcompliance.b2clogin.com/DistCompliance.onmicrosoft.com/oauth2/authresp is not landing page. You can refer to the sample here and compare your code.

1 Vote 1 · ·