1

I have an older webapp that has implict flow I need to continue to support. I tried to use Microsoft.Identity.Web 1.9.0.0 but it does not allow me to use id_token it requires only access token in the authorization header I get the error message below :

[10:09:31.861 -04:00] [ERR] [] [] An unhandled exception has occurred while executing the request. System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token. at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<b__1>d.MoveNext()

Is there a setting to allow it? I couldn't see one in JwtBearerOptions or MicrosoftIdentityOptions. It does work when I use Microsoft.AspNetCore.Authentication 3.1.0.0 library, but I wanted to have newest library possible. Any recommendations would be great.

Edit: More details

Our company is under major tech shift. he have built alot of stuff in .net core and web components (Polymer) for front end but . We decided to switch to Azure AD B2C. We have no problems switching our .net core and existing polyymer UI's to authorization code flow. We have alot of assets in .net web forms. Those Web Forms are large projects that are using forms Authentication membership. We don't have the resources to switch all the UI's to Web Components and .net core at one shot. The plan is switch the identity to Azure AD B2C and release it to production. When there is a change request or new feature request we would build the new pages only in HTML and Web Components (Polymer) and have a .net core api to handle those api requests. The problem is that the Web Coponents doesn't have access to the access token.

The solution I found was when the Web Forms gets a responds from B2C I conect OpenIdConnectAuthenticationNotifications to SecurityTokenReceived which reads the IdToken and I put it in a cookie with an expiry in (30 seconds) and return it to the browser. I have javascript code that reads to see if the cookie exists and takes it and stores it in the Session Storage and deletes the cookie. Also on load the browser checks if the user is signed in if not it deletes the Session Stored id_token.

This works as expected, but the problem is it is using the id_token and not using the authorization code flow. So When accessing any other api I can't request a token from B2C for the other API. Also I can't get a refresh token (plan is to set it to 8hrs to expire which is good enough). I have looked at if it's possible to make it work with code flow. i have looked at how it works in MVC but it I haven't made it work, This is the project I used to switch to B2C https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet

greektreat
  • 2,329
  • 3
  • 30
  • 53

2 Answers2

1

After deciding to give up on this. Working on a different project I had to run a cross this issue. Decided to do another search and found this post https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#to-support-acl-based-authorization

through this Stack overflow Q/A IDW10201: Neither scope or roles claim was found in the bearer token this is what is needed to use the latest Microsoft.Identity.Web Package. To sum it up in the you need to set the Azure options variable AllowWebApiToBeAuthorizedByACL = true

greektreat
  • 2,329
  • 3
  • 30
  • 53
0

The error message expects scope or roles in the bearer token. Please follow this document for implicit flow versus authorization code flow concept.

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

Dharman
  • 30,962
  • 25
  • 85
  • 135
Jit_MSFT
  • 134
  • 4
  • Thanks for this. I do understand implicit vs authorization code flow concept. I've added more detail for context. If that help pointing towards a better solution I would be very grateful – greektreat May 27 '21 at 14:51