1

I am new to the Azure ecosystem and I am a bit lost.

I use Azure AD B2C to secure multiple Spring Boot applications but I have a strange behavior, it seems like a token is tied to a specific application, which is not really convenient, because that means we have to manage multiple tokens, one per application. On each application I have this configuration:

azure:
  activedirectory:
    b2c:
      base-uri: https://<tenant>.b2clogin.com/
      tenant-id: <tenant-id>
      client-id: <client-id>
      user-flows:
        sign-up-or-sign-in: B2C_1_signin_signup

Example, I have a user UserA which wants to consume ApplicationA, ApplicationC and ApplicationD. UserA relies on ApplicationB(front end app) to ask a token using the grant_type=password. When I use the granted access token I can only consume one application. If I try to use the same token in another application I have a HTTP 401 with this message in application logs:

The aud claim is not valid

The issue is, when we ask a token we can only specify one scope, the scope value should contain the application that should consume the token.

My question is: how can we use one token for multiple resource servers? How can I configure Azure AD B2C to add all applications in the aud claim so that the token is recognized by the resource server?

Thank you

akuma8
  • 4,160
  • 5
  • 46
  • 82

1 Answers1

1

The requested scope determines which API the access token can be used at. The access token aud claim will be set to the client id of the respective scope.

You can use the refresh token you acquired in the first authentication to request an access token for a different scope.

The subsequent scope you request as part of a refresh token call, must be granted as a permission under the first application (app registration) that you authenticated to. It doesn’t matter which scope was requested in the initial authentication at this point.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • I am not sure to understand your suggestion. Do I need to refresh the token each time I want to call a different API? Because when we refresh a token we can't specify multiple scopes so I don't see how the refreshing token can be used for multiple resource servers – akuma8 May 05 '22 at 16:19
  • Before each api call you should call acquireTokenSilent() MSAL method with appropriate scope. – Jas Suri - MSFT May 06 '22 at 08:02
  • Thanks, that kind of limitation is a real mess! I hope that they don't charge bandwith for those invasive refresh token queries! – akuma8 May 06 '22 at 08:46
  • 1
    I accepted your answer even it not really solved my issue, I think the problem comes from the OIDC spec and the Azure AD B2C sdk implémentation. Restricted a token to be only used by one resource server is a bit weird! – akuma8 May 06 '22 at 10:27
  • It will not charge you for these calls, it’s free. – Jas Suri - MSFT May 06 '22 at 11:45