Azure AD B2C: mixing built-in flows with custom policies and sharing encryption keys for JWTs

Question

I’m working on an app that uses Azure AD B2C and .NET Core APIs. We are trying to use a mixture of built in user flows and one custom policy. Built in user flows for sign-in and reset password, and a custom policy for sign-up because we want to follow the invitation sign-up flow demonstrated by this sample app.

https://github.com/azure-ad-b2c/samples/blob/master/policies/invite/README.md

An issue I’m having is on the API authorization side. The JWTs issued from the built-in user flows are encrypted and signed with a different set of keys than the JWTs issued from the custom invitation policy. If I setup the B2C authority for my API project to reference my sign-in flow https://{mytenant}.b2clogin.com/investgradedev.onmicrosoft.com/B2C_1_SI/v2.0 then tokens issued from sign-in are authorized fine but tokens issued from sign-up fail authorization. If I set the B2C authority to reference the custom sign-up policy https://{mytenant}.b2clogin.com/investgradedev.onmicrosoft.com/B2C_1A_signup_invitation /v2.0, then I have the reverse problem.

1. Is there a way to have the tokens from both flows encrypted and signed using the same keys? If so, how to I set this up?
2. Should I force new users back through the sign-in flow to get a token that works?

I’m new to B2C and have been on a steep learning curve so any help provided is greatly appreciated.

Answer 1

1. No you cannot.

2. This is possible workaround.

Other option, add multiple Authorities into the API. I did this with AAD and AAD B2C as an example:

https://github.com/azure-ad-b2c/apps/tree/master/apps/spa-hellojs-popup/source-code/.Net-Core-API-RBAC

https://github.com/azure-ad-b2c/apps/blob/master/apps/spa-hellojs-popup/source-code/.Net-Core-API-RBAC/MultiBearerAPI/Startup.cs#L30