Unauthorized access to API despite getting Access Token and Scope

Umais Nisar 0

Hi,

Token Response:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiI4MzcyMTQwYy02MTI4LTRiZjctOGQ2OC00YmIyOWI0OGE5N2EiLCJpc3MiOiJodHRwczovL3NjaG9vbGNvbm5lY3RiMmMuYjJjbG9naW4uY29tLzlhOWY3MjgyLWM4MWUtNGY0ZC1hZDU4LTFmMjlmZjI2YWZhNy92Mi4wLyIsImV4cCI6MTcyNjgyMTAwNCwibmJmIjoxNzI2ODE3NDA0LCJzdWIiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEiLCJuYW1lIjoiVW1haXMgTmlzYXIiLCJ0ZnAiOiJCMkNfMV9TaWduX0luX1VwIiwibm9uY2UiOiIwN2MwYWY2Ny04ZWQyLTQwOGYtYjYxMC1kYmZhNzg3Njg1YTEiLCJzY3AiOiJBUEkuUmVhZFdyaXRlIiwiYXpwIjoiODM3MjE0MGMtNjEyOC00YmY3LThkNjgtNGJiMjliNDhhOTdhIiwidmVyIjoiMS4wIiwiaWF0IjoxNzI2ODE3NDA0fQ.CuKkMAEAf-uxDcITB0ujvoFeUuYtQ8qYeHmBvLeWMb2FD3hEvw1zXdzAPtuIkTOcmD5MhtLtAf9jtnPIbSB_r7Ya2JbcGt_Q45stmi3f-3iNeTRk9zVsIsO-jrGJMWBDV2bfT2mO7FNrBtgy0e-vOZkP4Hs0LyLfeWiCaylK11oJNAUa1bgrF5Wm9Sm0ESa7VeiTiofZ5B92nGVal-8H8EH-WFnipE-Dqi1feFm-o6GNVcbXWD8VkoTnkx9H7CzU_DG1D5uTuP0NZ0qQm1BuaAFM_RNPhgA-Q1NkI2I9VwLXM-JKw1ty9QsTWSY-VUPwyhRD4mFsjkygl9_UyvAgGg",
    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjE3MjY4MjEwMDQsIm5iZiI6MTcyNjgxNzQwNCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9zY2hvb2xjb25uZWN0YjJjLmIyY2xvZ2luLmNvbS85YTlmNzI4Mi1jODFlLTRmNGQtYWQ1OC0xZjI5ZmYyNmFmYTcvdjIuMC8iLCJzdWIiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEiLCJhdWQiOiI4MzcyMTQwYy02MTI4LTRiZjctOGQ2OC00YmIyOWI0OGE5N2EiLCJub25jZSI6IjA3YzBhZjY3LThlZDItNDA4Zi1iNjEwLWRiZmE3ODc2ODVhMSIsImlhdCI6MTcyNjgxNzQwNCwiYXV0aF90aW1lIjoxNzI2ODE3NDAwLCJuYW1lIjoiVW1haXMgTmlzYXIiLCJ0ZnAiOiJCMkNfMV9TaWduX0luX1VwIiwiYXRfaGFzaCI6Ik5xa3FFNnFQMXlnNDU2M2hwYTZFYXcifQ.szGUSuInW3cLJjub1Ya8KSyPZNrRT09xd6Tli472SKkrZW5D2B-x8Cbp_KlgaRIFbD8pWkRO2b_Sq0GCFBvBbo5kAWaeQXrvLE07Gw6vFemEVRBOFtp_yXWsjR0q6yxIIMv1Bi3Vr0Z8jwLTzZbde1NmYRQmNLAWXXkFvnQ8FIqRx52FqJHpv6An6fqySvKBPalvUIMYskA_0ZeCTc9qACCQzPY9x0sdPhTX4aP1HJn58shKS8t7r5_EBPaxPHsPfaruOgm8VUC12tzc6jRfi1NWTNA0tJ4znEyhHSiWqAbj61emjZXKpB25MpaSVg6ZW9NOvOa1k8hGMU1eGKDfyA",
    "token_type": "Bearer",
    "not_before": 1726817404,
    "expires_in": 3600,
    "expires_on": 1726821004,
    "resource": "8372140c-6128-4bf7-8d68-4bb29b48a97a",
    "client_info": "eyJ1aWQiOiI3ODQwNDhmOS03NDNlLTRjN2UtYWFiYS1mY2Y4NzQ4NTc2NDEtYjJjXzFfc2lnbl9pbl91cCIsInV0aWQiOiI5YTlmNzI4Mi1jODFlLTRmNGQtYWQ1OC0xZjI5ZmYyNmFmYTcifQ",
    "scope": "https://schoolconnectb2c.onmicrosoft.com/8372140c-6128-4bf7-8d68-4bb29b48a97a/API.ReadWrite",
    "refresh_token": "eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..lRPIdIPYV-fzAWPg.UKjBOKSaNLTzLeR5SFVmPRo_VFwEGjS0SF7D2oxG5YURFAsCd-kWh9_2BQQTOAfFoY4xYt2oVRKB78xF8bb9el35qBWtaspSJuf9DNu4D2qOjsdoqu8pWgcTghig6VmbGBuLBrNnUwvRYrxxa2XKZhCbWDoMiuzcC4GCNhXSIsbDuVejszFFcf0xtcNtMLdWx4o3rYpzdqgIOBKtA-zg7NwXxfAskWpzNQwpriBYl763REZmFuclzW_pv8y8cvF-j10KCb04mNwNSgnYeXh_Ih2o2A3_8jIA6ztHmpMNwiYFkoaFwKueAjmWbamMQNiKy8NNyf_R2TQLjXiC0kG0pmNqFmgx44wTrrkoS9AU_yUZ6t48jNSUFt-UJ2bBM_EUwghc3stSVAwFCgYvuCgoJmhCZUEUbHN9GIDBkmwgdsjsVPM7lsYZ_Fhh51yOC7fQiBwJyEKf3BF4EIDlygwi6BRiBKuW0Q7SQDQnUAwsqoQwg2-eJU3Y6IkYBNOTzXq25ruemjLvLMAYYEhXcfIEzD92-sXeqPdbRoXutC0bhRLDKKLG21h_8ULHVi1FriPhj0hU3ke-Wb3_rdJKcNoJu7lUxnG9scQ4XF_vRHtKsi5JH24bWieNAQbTNuMGCgWHvfaokxM94IJWfmHKsNYqfzpB-g-Ut03Vo2iSiGyVGWQ.z8P3G47q7NlbbXJ9qkhtvw",
    "refresh_token_expires_in": 86400
}

After this it is neither going inside this IF statement that says if user is authenticated then go in:

public class CustomIdentityMiddleware(RequestDelegate next)
{
    private readonly RequestDelegate _next = next;
    public async Task InvokeAsync(HttpContext http, UserService userService)
    {
        //if (http.User.Identity?.IsAuthenticated == true)
        if (http.User.Identity.IsAuthenticated)
        {
            var objectId = http.User?.Claims?.SingleOrDefault(o => o.Type == ClaimTypes.NameIdentifier)?.Value;
            if (objectId != null)
            {

And it is also not able to make any API request:

Request URL:
https://localhost:5161/api/user/get-all-users
Request Method:
GET
Status Code:
401 Unauthorized
Remote Address:
[::1]:5161
Referrer Policy:
strict-origin-when-cross-origin

Blazor WASM frontend, .NET backend. Any help would be highly appreciated because i am out of ideas.

Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T08:14:53.94+00:00

Hi, could you please take a look at this case? I shared the complete sample for blazor wasm + asp.net core web api. Please kindly let me know if you have any other concerns.

Umais Nisar 0

Hi @Tiny Wang-MSFT ,

My client side program.cs:

using Microsoft.AspNetCore.Components.Web;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
using SchoolConnect.Client;
using Syncfusion.Blazor;
var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");
builder.Services.AddHttpClient("SchoolConnect.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
    .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("SchoolConnect.ServerAPI"));
builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });
builder.Services.AddMsalAuthentication(options =>
{
    builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
    options.ProviderOptions.DefaultAccessTokenScopes.Add("https://schoolconnectb2c.onmicrosoft.com/8372140c-xxx-4bb29b48a97a/API.ReadWrite");
    options.ProviderOptions.LoginMode = "redirect";
});
Syncfusion.Licensing.SyncfusionLicenseProvider.RegisterLicense("ABC");
builder.Services.AddSyncfusionBlazor();
await builder.Build().RunAsync();

Appsettings.json

{
  "AzureAdB2C": {
    "Authority": "https://schoolconnectb2c.b2clogin.com/schoolconnectb2c.onmicrosoft.com/B2C_1_Sign_In_Up",
    "ClientId": "8372140c-xxx-4bb29b48a97a",
    "ValidateAuthority": false
  }
}

Server side program.cs:

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.EntityFrameworkCore;
using Microsoft.Identity.Web;
using SchoolConnect.Data.Models;
using SchoolConnect.Server.Middlewares;
using SchoolConnect.Server.Services;
using NSwag;
using System;
using Microsoft.AspNetCore.Builder;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAdB2C"));
builder.Services.AddControllers()
    .AddNewtonsoftJson();
builder.Services.AddHttpContextAccessor();
//// Add BlobServiceClient to the DI container - update later
//builder.Services.AddSingleton(x =>
//{
//    var connectionString = builder.Configuration.GetConnectionString("AzureBlobStorage");
//    return new BlobServiceClient(connectionString);
//});
//builder.Services.AddScoped<BlobStorageService>();
builder.Services.AddDbContext<SchoolConnectDBContext>(options => options.UseSqlServer(builder.Configuration.GetConnectionString("AppDbConnection")));
// Add custom services
builder.Services.AddScoped<HttpService>();
builder.Services.AddScoped<UserService>();
// Swagger
builder.Services.AddOpenApiDocument(config =>
{
    config.Title = "SchoolConnect API";
    config.Version = "v1";
    config.Description = "API documentation for SchoolConnect";
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseWebAssemblyDebugging();
   app.UseOpenApi();  
   app.UseSwaggerUi();
}
else
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseMiddleware<CustomIdentityMiddleware>();
app.MapControllers();
app.MapFallbackToFile("index.html");
app.Run();

Appsettings.json

{
  "ConnectionStrings": {
    "AppDbConnection": "ABC"
  },
  "AzureAdB2C": {
    "Instance": "https://schoolconnectb2c.b2clogin.com/",
    "ClientId": "8372140c-xxxx-4bb29b48a97a",
    "Domain": "schoolconnectb2c.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1_SignUpSignIn"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

I followed this documentation provided by microsoft: https://video2.skills-academy.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0#-controller

I am getting the Access Token, its just either it is not using it to access controllers or i don't have sufficient permission set on scope in Azure portal. I don't believe making such a drastic decision such as creating new project and starting anew is the correct solution. Although thank you for your reply.

Umais Nisar 0 Reputation points

2024-09-20T08:30:24.88+00:00

I follow this microsoft documentation: https://video2.skills-academy.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0#-controller

I don't believe making such drastic change by starting anew is the correct solution.
Umais Nisar 0 Reputation points

2024-09-20T08:31:57.5566667+00:00

Duplicate
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T08:37:37.7233333+00:00

Could you please help confirm the following points? 1 Are you working on Azure AD b2c or Azure AD? 2 Are you working on a blazor wasm asp.net core hosted application and the .net version is .net 7?
Umais Nisar 0 Reputation points

2024-09-20T08:47:15.5+00:00

Sorry for not clarifying before. The frontend is Blazor WASM and Backend is .NET 8.
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T08:52:13.21+00:00

Are you using Azure AD or Azure AD b2c?
Umais Nisar 0 Reputation points

2024-09-20T08:53:03.08+00:00

Azure AD B2C
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T09:32:30.6633333+00:00

Thank you for your confirmation, since it's blazor wasm application without asp.net core hosted, so that we should refer to this document to integrate Azure AD b2c into the blazor wasm application, then use IAccessTokenProvider to generate the access token, since you already obtained access token successfully, I think you've set everything done in the client blazor application. Then we shall follow this document to set up the api project. But I also checked your appsettings.json and Program.cs which all looks good. I'm confused that we've been able to get the access token so that the authentication should work in blazor wasm application, then does the CustomIdentityMiddleware belong to your API project? I'm afraid yes, then it shall be the expected behavior since it's an API project, it just do the authorization validation, but not handle the authentication, we can't get the authenticated user in the API project, we can only check whether the access token inside the request header is valid or not, by the way, we don't need a custom middleware to do the token validation task. May I know how you send the http request to call the web api? Did you add the access token into Authorization request header?
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T09:37:06.2033333+00:00

In the meantime, if you are getting trouble to sign into the application, you might create a new project and compare it with yours. You can use this command to create a new project. dotnet new blazorwasm -au IndividualB2C --aad-b2c-instance "{AAD B2C INSTANCE}" --client-id "{CLIENT ID}" --domain "{TENANT DOMAIN}" -o {PROJECT NAME} -ssp "{SIGN UP OR SIGN IN POLICY}" But I trust your blazor app is working well not. Then pls don't forget to add CORS policy into the Api project. The request is sent from the SPA, so that CORS policy is required. I checked your appsettings.json and Program.cs, I think you've done the configuration so that the issue might related to how you call the API in your blazor app. Have you tried to use tools like postman to call your web api endpoint with your access token? If that worked, we could say the Api is well configured too.

Umais Nisar 0

Hey Tiny,

I have another project that a friend is working on. I compared my code to his and we have the same code yet his API calls work. I feel like i am missing something inside the Azure portal. Can you make sense of its manifest if i send it here?

User controller:

[Authorize]
[ApiController]
[Route("api/[controller]")]
public class UserController : ControllerBase
{
    private readonly UserService _userService;
    private readonly HttpService _httpService;
    [HttpGet]
    public IActionResult Get()
    {
        return Ok("Authorized");
    }

API call in client:

using Microsoft.AspNetCore.Components;
using SchoolConnect.Shared.Dtos;
using System.Net.Http.Json;
namespace SchoolConnect.Client.Shared;
public partial class Dashboard : ComponentBase
{
    [Inject] private HttpClient Http { get; set; }
    protected override async Task OnInitializedAsync()
    {
        var currentUser = await Http.GetFromJsonAsync<List<UserDTO>>($"api/User");
        StateHasChanged();
    }
}

Have you tried to use tools like postman to call your web api endpoint with your access token?

I need to try this, i am working on this now

Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T12:49:39.4966667+00:00
Hi, I don't have a b2c application so that I can't share my configuration in Azure, but since you were already able to sign in and get the access token, I think the configuration in Azure should be correct. In your blazor component, I could see that you sent http request to the API, but I didn't see you adding request header in HttpClient. Then our codes shall be similar to codes below. Could you please test it?

HttpClient client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", "accessToken");
Umais Nisar 0 Reputation points

2024-09-20T13:35:22.7+00:00

My friend is also not adding headers to Http, that is happening automatically when you do this in program.cs:

builder.Services.AddHttpClient("SchoolConnect.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))

.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();

builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("SchoolConnect.ServerAPI"));
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T13:46:31.79+00:00

Okay, if you are sure that you've added the bearer token in the request header somewhere else, then could you please help confirm whether you could call the API successfully with postman and the token you generated. And have you added the CORS policy into your API project? CORS policy won't affect the test through postman, but will affect the test through your blazor app.

Umais Nisar 0

using Microsoft.AspNetCore.Components;
using SchoolConnect.Shared.Dtos;
using System.Net.Http.Json;
namespace SchoolConnect.Client.Shared;
public partial class Dashboard : ComponentBase
{
    /*[Inject] private HttpClient Http { get; set; }*/
    protected override async Task OnInitializedAsync()
    {
        HttpClient client = new HttpClient();
        client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", "accessToken");
        var currentUser = await client.GetFromJsonAsync<List<UserDTO>>($"api/User");
        StateHasChanged();
    }
}

I tried, it is not even hitting the breakpoint at HttpClient client.

Umais Nisar 0 Reputation points

2024-09-20T13:53:07.5033333+00:00
On Postman if i use the access token and make GET request to: https://localhost:5161/api/User

While my application is turned on

I get this error:

Bearer error="invalid_token", error_description="The issuer 'https://schoolconnectb2c.b2clogin.com/9a9f7282-c81e-4f4d-ad58-1f29ff26afa7/v2.0/' is invalid"
Tiny Wang-MSFT 2,641 Reputation points Microsoft Vendor

2024-09-20T14:04:35.0333333+00:00

Could you pls add "TenantId":"9a9f7282-c81e-4f4d-ad58-1f29ff26afa7", into the appsettings.json of your api project? Add it into AzureAdB2C section, and then test to call the API by postman again? Thank you. Is "9a9f7282-c81e-4f4d-ad58-1f29ff26afa7" your tenant id of schoolconnectb2c.onmicrosoft.com tenant?

1 answer

Umais Nisar 0 Reputation points

2024-09-20T19:36:46.3733333+00:00
I found the solution after 2 days working on this, even tirelessly at night. Even so called "AI GPT" couldn't help with this and kept on going in circles... giving me wrong solution at times, at your face NVIDIA CEO and other CEO who think we are replaceable lmao.

I will give the moral first and the moral of story is: Follow the documentation to the T, don't be a dummy like me.

What i was doing wrong was creating one single app and creating application URI inside of it. I set it public too in authentication. Somehow that was messing things up.

Solution:

Create Server app first, make scope inside of it.

Create Client app separately afterwards, go to app permissions and add the Server API scope from there. Grand it consent as well.

Put Client ID of Server App inside Server project appsettings.json and vice versa same case for Client project... put client id of Client App there.

Just follow the documentation to the T, the link i provided, it has everything, even this stuff.

Thanks for your help Tiny.

P.S: GPT is just a data scrapper that uses NLP, not even remotely intelligent to produce new stuff.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Unauthorized access to API despite getting Access Token and Scope

1 answer

Your answer