A combined sample for a .NET web application that calls a .NET web API, both secured using Azure AD B2C
page_type: sample description: "The sample covers calling an OpenID Connect identity provider (Azure AD B2C) and acquiring a token from Azure AD B2C using MSAL." languages: - csharp products: - dotnet - azure
This sample contains a solution file that contains two projects:
TaskWebAppis a "To-do" ASP.NET MVC web application where the users enters or updates their to-do items. These CRUD operations are performed by a backend web API. The web app displays the information returned from the ASP.NET Web API.
TaskServiceis the backend ASP.NET API that manages and stores each user's to-do list.
The sample covers the following:
After cloning this repo, configure the sample to use your own Azure AD B2C tenant. In this section, you'll learn how to configure the ASP.NET Web Application and the ASP.NET Web API to work with your own Azure AD B2C Tenant.
First, you'll need an Azure AD B2C tenant. If you don't have an existing Azure AD B2C tenant that you can use for testing purposes, you can create your own by following these instructions.
This sample uses three types of policies: a unified sign-up/sign-in policy, a profile editing policy, and a password reset policy. Create one policy of each type by following the built-in policy instructions. You may choose to include as many or as few identity providers as you wish.
If you already have existing policies in your Azure AD B2C tenant, feel free to re-use those policies in this sample.
Make sure that all the three policies return User's Object ID and Display Name on Application Claims. To do that, on Azure Portal, go to your B2C Directory then click User flows (policies) on the left menu and select your policy. Then click on Application claims and make sure that User's Object ID and Display Name is checked.
Follow the instructions at register a Web API with Azure AD B2C to register the ASP.NET Web API sample with your tenant. Registering your Web API allows you to define the scopes that your ASP.NET Web Application will request access tokens for.
Provide the following values for the ASP.NET Web API registration:
My Test ASP.NET Web API. You will identify this application by its Name whenever working in the Azure portal.
https://localhost:44332/. This is the port number that this ASP.NET Web API sample is configured to run on.
demoapi. This AppID URI is a unique identifier representing this particular ASP.NET Web API. The AppID URI is used to construct the scopes that are configured in your ASP.NET Web Application. For example, in this ASP.NET Web API sample, the scope will have the value
My Test ASP.NET Web APIapplication and then open the Published Scopes window (in the left nav menu). Add the following 2 scopes:
readfollowed by a description
demoing a read scenario.
writefollowed by a description
demoing a write scenario.
Follow the instructions at register a Web Application with Azure AD B2C
Your web application registration should include the following information:
My Test ASP.NET Web Application. You can identify this application by its Name within the Azure portal.
https://localhost:44316/This is the port number that this ASP.NET Web Application sample is configured to run on.
My Test ASP.NET Web API. Select the scope(s) you defined previously, for example,
writeand select Add permissions.
In this section, you will change the code in both projects to use your tenant.
:warning: Since both projects have a
Web.configfile, pay close attention which
Web.configfile you are modifying.
Web.configfile for the
ida:Tenantand replace the value with your
ida:AadInstanceand replace the value with your
ida:TenantIdand replace the value with your Directory ID. You can get it by navigating to the registration information of one of your apps and copying the value of the Directory (tenant) ID property.
ida:ClientIdand replace the value with the Application ID from your web application
My Test ASP.NET Web Applicationregistration in the Azure portal.
ida:ClientSecretand replace the value with the Client secret from your web application in the Azure portal.
ida:SignUpSignInPolicyIdand replace the values with the corresponding policy names you created, e.g.
api:ApiIdentifierkey value to the App ID URI of the API you specified in the Web API registration. This App ID URI tells B2C which API your Web Application wants permissions to.