BlazorBFF works w/Azure AD B2C, but get error when add SignUpSignInPolicyId about microsoftentraidauthmicrosoftidentityweb HOT 9 CLOSED

Thanks Damien,

We now have your BFF cookie based approach using Microsoft.Web.Identity working nicely in an AD B2C environment. It uses CC to access MS Graph versus OBO.

I do have another question. I noticed your code utilizes the ConfigureWait(false) syntax. One of my associates, believes this is not needed within ASP.Net Core. Can you explain your reasoning for it and also why it is no longer in the template code you just recently created at https://github.com/damienbod/Blazor.BFF.AzureAD.Template on Nov 29th?

Thanks again for you excellent posts.

from microsoftentraidauthmicrosoftidentityweb.

Ok, upon further investigation, I see that OBO is not directly supported but can be used as long as client credential is used for downstream API like MS Graph

from microsoftentraidauthmicrosoftidentityweb.

Understood, thx

from microsoftentraidauthmicrosoftidentityweb.

Hi Bob

Thanks! Azure B2C does not support the OBO flow. To access downstream APIs in Azure B2C, you need to use the CC flow. This configuration uses the OBO, so you would have to remove the downstream APIs and replace this with a CC client.

pinging @cmatskas just the verify this

Greetings Damien

from microsoftentraidauthmicrosoftidentityweb.

Hi again Damien,

Just to confirm as I'm not a strong oauth or openid connect dev. By CC I assume you mean Client Credentials and by OBO you mean On Behalf Of.

I believe I have this working as the Direct and Graph API seems to be working with ADB2C plus I created a custom user flow with claimsexchange via az function to pass approle user assignments into the auth pipeline so blazor client and server knows about RBAC based roles and Authorize attributes work as desired

Thanks again for the help.

from microsoftentraidauthmicrosoftidentityweb.

Also it seems OBO is now supported for ADB2C based on https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-developer-notes#oauth-20-application-authorization-flows

from microsoftentraidauthmicrosoftidentityweb.

I add extra claims like in this example

https://damienbod.com/2021/09/06/using-azure-security-groups-in-asp-net-core-with-an-azure-b2c-identity-provider/

public class GraphApiClaimsTransformation : IClaimsTransformation

Greetings Damien

from microsoftentraidauthmicrosoftidentityweb.

Hi @vsdotnetguy thanks

yes ConfigureWait(false) is not needed within an ASP.Net Core context and should be removed. Will fix this.

Greetings Damien

from microsoftentraidauthmicrosoftidentityweb.

Created a Blazor template for this

https://github.com/damienbod/Blazor.BFF.AzureB2C.Template

maybe you could review, test, improve?

Greetings Damien

from microsoftentraidauthmicrosoftidentityweb.