Entra ID - OIDC BFF pattern - does not work

Robert Desbiens 40 Reputation points
2024-05-28T19:05:49.29+00:00

Hi,

I have a blazor hybrid app with both webassembly and server.

Currently I'm using the oidc flow with b2c (https://video2.skills-academy.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-8.0&pivots=with-bff-pattern) and it is working fine. I've spent a few days trying to migrate it to Entra External ID but for some reason, I'm having a few issues.

I'm getting the following error when I add the scope of the backend API (it is working find without the scope):
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.

I have a valid Client secret configured within my application, I'm not sure what this signing key refers to.

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,477 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,740 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 36,141 Reputation points Microsoft Employee
    2024-05-28T22:00:38.1033333+00:00

    Hi @Robert Desbiens ,

    This error typically occurs due to issues with the claims mapping or expired policies. When users modify the token contents through claims-mapping policies, the application must know that tokens have been modified by the users rather than attacker so acceptMappedClaims needs to be set to "true" in the application manifest. If thesignInAudience is AzureADandPersonalMicrosoftAccount, the value of accessTokenAcceptedVersion must be 2 and acceptMappedClaims should be "true" for single-tenant apps.

    "acceptMappedClaims": true, "accessTokenAcceptedVersion": 2,

    This is documented here: https://video2.skills-academy.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute

    Also, make sure that you can authorize the JWT token (AddAuthentication().AddJwtBearer in ConfigureServices).

    https://video2.skills-academy.com/en-us/dotnet/api/microsoft.aspnetcore.builder.jwtbearerappbuilderextensions.usejwtbearerauthentication?view=aspnetcore-2.2

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest