Azure AD B2C - ASP.Net Core Angular Application - Error while acquiring token for downstream Web API

Question

I have a SPA that uses Azure AD B2C and MSAL libraries. SPA is part of a ASP.Net Core Angular Application. So, the application has .Net Controller that connects to the other azure hosted Web APIs. When angular code makes a HTTP call to the controller, MSAL interceptor kicks in and sends the token across. But, when I try to get the token in the controller using tokenAcquisition.GetAccessTokenForUserAsync, I get error.

fail: Microsoft.Identity.Web.TokenAcquisition[0]

Microsoft.Identity.Web.TokenAcquisition: Error: False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.4 Darwin 22.1.0 Darwin Kernel Version 22.1.0: Sun Oct 9 20:14:54 PDT 2022; root:xnu-8792.41.9~2/RELEASE_X86_64 [2023-06-10 05:37:32Z - 867a5621-fbcc-4cd4-8533-692ba502c3de] Exception type: Microsoft.Identity.Client.MsalUiRequiredException

, ErrorCode: user_null

HTTP StatusCode 0

Can someone please advise what I am doing wrong here?

I have followed this code sample on GitHub

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C#how-to-secure-a-web-api-built-with-aspnet-core-using-the-azure-ad-b2c

Expectation: When Azure AD B2C user logs in in the SPA and the SPA makes a HTTP call to the .net controller, the controller should be able to acquire the token to pass it to downstream Web API.

Answer 1

Check if your app requires other scopes than which are mentioned in code to call downstream api for and check if admin has consented.

MsalUiRequiredException occurs in failure of that. so make sure that you have granted sufficient permissions to your application and granted admin consent to that permission.

Here use https://graph.microsoft.com/.default scope to include all scopes required .

In order to handle exeption try using the AuthorizeForScopes attribute in controllers

[AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")]
        public async Task<IActionResult> Index()
         {
            var user = await _graphServiceClient.Me.Request().GetAsync();
                string[] scopes = new string[] { "DownstreamApi:Scopes" };
var serviceProvider = services.BuildServiceProvider();
var consentHandler = serviceProvider.GetRequiredService<MicrosoftIdentityConsentAndConditionalAccessHandler>();
var tokenAcquistion = serviceProvider.GetRequiredService<ITokenAcquisition>();

try
           { 
            var token = await tokenAcquisition.GetAccessTokenForUserAsync("scopes");
           }
          catch (MsalUiRequiredException ex)
          {
            consentHandler .HandleException(ex);
          }
            ViewData["ApiResult"] = user.DisplayName;
             ViewData["Givenname"] = user.GivenName;    
    return View();
         }

Check this too : Blazor server authorized downstream API call with Azure AD B2C - Stack Overflow

Refer : https://github.com/AzureAD/microsoft-identity-web/issues