cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
captainsina
Regular Visitor

Secure an external .net 5.0 WebAPI using PowerApps portal token endpoint

I have a .net 5.0 WebAPI hosted in Azure appservice which needs to be called from JavaScript on a custom power apps portal page.

Both portal and Web API are currently secured using the same instance of an azure B2C.

 

Using implicit grant, I am able to make a call to <portal_url>/_services/auth/token endpoint of my portal and get current user's JWT token.

But, when I pass this token to my WebAPI (I'm adding this token to the http header of my ajax call to Web API), I get Unauthorized back from the WebAPI.

 

If I get a JWT token from the B2C directly, API accepts the token and runs successfully.

 

Do I need any specific configurations on my WebAPI side so it can successfully accept/consume the token that is returned by Portal's <portal_url>/_services/auth/token endpoint?

 

Cheers

2 ACCEPTED SOLUTIONS

Accepted Solutions
chleverenz
Super User
Super User

Hi @captainsina ,

i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAut...

In fact, they check the token by themselves. 

I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.

So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.

A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.

Exactly what you want 🙂

Hope the codesnippet helps a little bit,

  Christian

View solution in original post

Hi @captainsina ,

You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

View solution in original post

5 REPLIES 5
chleverenz
Super User
Super User

Hi @captainsina ,

may be two dumb questions:

  • as i got it you need to be signed in to get a token via implicit flow. So, ist the user doing the call really logged in?
  • when i got the story right the api (your .net 5.0) has to validate and check the token. This token is to be checked against the portal and not against any other service. So, may be the token is checked against the b2c and not against the portal

Just two quick ideas, hope it helps finding the issue,

 

Christian

 

@chleverenz ,

Not dumb at all, excellent questions and thank you.

Let me briefly explain the architecture:

  • Powerapps portal is integrated with Azure B2C (through configuration)
  • The custom API (.net 5.0) is also integrated with the same instance of B2C. 
  • The API is integrated with the B2C through configurations in appsettings.json and some initiating code in .net 5.0 Web API startup.cs. The validation of token etc. is handled by MVC framework, I do not have explicit code to decode token/verify/validate/ etc.
  • In Azure B2C, permissions are granted to portal app registration to make calls to this particular API

Scenario:

  1. End user logs in to portal using the B2C
  2. User navigates to portal's custom page on which the API call is needed
  3. At this point, user already has a token, the JavaScript on the page calls <portal_url>/_services/auth/token endpoint and receives current user's token successfully
  4. The JavaScript then makes the call to external api and injects the token (from step 3) in http header of the ajax call
  5. API responds by unauthorized.

If I get a token from B2C directly (using a postman call) and hardcode it in the http header of the JavaScript API call, it works fine, but when I use the token returned by portal endpoint, I get unauthorized.

 

My assumption was since both portal and API are integrated with the same B2C instance, the token returned by portal will be accepted by API, but its not behaving that way.

 

Question is if I need to change anything on API side for this to work.

 

Cheers

chleverenz
Super User
Super User

Hi @captainsina ,

i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAut...

In fact, they check the token by themselves. 

I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.

So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.

A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.

Exactly what you want 🙂

Hope the codesnippet helps a little bit,

  Christian

Thank you,

I have already seen that sample code and in fact that's the only one I have found so far.

As you mentioned, they are doing it in code and this is changed a lot in .net 5.0.

I am hoping there is a config that would take care of this by the framework in .net 5.0.

Million dollar question is: what and where 🙂

Cheers

Hi @captainsina ,

You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

Helpful resources

Announcements
October Events

Mark Your Calendars

So many events that are happening this month - don't miss out!

MPP IDEAS

Ideas

Discover ideas and concepts from users like you for how to use Power Pages and take your work to the next level.

Ignite 2022

WHAT’S NEXT AT MICROSOFT IGNITE 2022

Explore the latest innovations, learn from product experts and partners, level up your skillset, and create connections from around the world.

Carousel Community Blog

Check out the Community Blog

Read all about the most recent blogs in the community!

Users online (2,089)