AzureAd .NET - React running on same domain
I have a react application and aspcore backend running on the same domain. (everything is redirected to /index.html except /api/
My users need to login Azure AD.
const msalConfig = {
auth: {
clientId: "{clientId}",
authority: "https://login.microsoftonline.com/{tenantId}",
redirectUri: `${window.location.origin}`,
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false
}
};
const root = ReactDOM.createRoot(
document.getElementById('root') as HTMLElement
);
const msalInstance = new PublicClientApplication(msalConfig);
root.render(
<StrictMode><MsalProvider instance={msalInstance}>
<App />
</MsalProvider>
</StrictMode>
);
Everytime I call the backend I get the token by:
// Try to acquire token silently
const tokenResult = await this.msalInstance.acquireTokenSilent({
account: this.account,
scopes: [{clientId}],
});
return tokenResult.accessToken;
Now I need to verify the token in my aspcore backend.
I tried serveral ways of adding Authentication. I had hoped this would be suffient:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
appsettings:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "{tenantId}",
"ClientId": "{clientId}",
"Issuer": "https://login.microsoftonline.com/{tenantId}/v2.0/",
"Audience": "{clientId}"
},
I still get a 401 status code. I've registered one app in the Microsoft Entra Admin Center. Didn't think I had to create two seperate registration because my site runs on the same domain. But I might be wrong. Can someone help me with the correct configuration?
Solution
I created a sample React app frontend and an ASP. NET Core backend with Azure AD integration.
401 status code.
I got above error because of using wrong "Audience":"{ClientID}",so I changed the
"Audience": "api://{ClientId}".
appsettings.json:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "{TenantId}",
"ClientId": "{ClientId}",
"Audience": "api://{ClientId}",
"Issuer": "https://login.microsoftonline.com/{TenantId}/v2.0"
}
Below is my complete program.cs class.
Program.cs:
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddControllers();
builder.Services.AddCors(options =>
{
options.AddPolicy("AllowReactApp", policy =>
{
policy.WithOrigins("http://localhost:3000")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
app.UseCors("AllowReactApp");
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
DataController.cs:
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace serverapi.Controllers
{
[Authorize]
[ApiController]
[Route("api/[controller]")]
public class DataController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
return Ok(new { message = "Hello from API!" });
}
}
}
Below is my complete React Application, I used scope as
scopes: ['api://{ClientId}/access_as_user'] in react app.
App.js:
import React, { useEffect, useState } from 'react';
import { useMsal } from '@azure/msal-react';
function App() {
const { instance, accounts } = useMsal();
const [apiResponse, setApiResponse] = useState('');
const login = () => {
instance.loginPopup({
scopes: ['api://{ClientId}/access_as_user'],
});
};
const callApi = async () => {
try {
const tokenResponse = await instance.acquireTokenSilent({
account: accounts[0],
scopes: ['api://{ClientId}/access_as_user'],
});
const accessToken = tokenResponse.accessToken;
const response = await fetch('https://localhost:7165/api/Data', {
headers: {
Authorization: `Bearer ${accessToken}`,
},
});
const data = await response.json();
setApiResponse(data);
} catch (error) {
console.error('API call error: ', error);
}
};
return (
<div>
<h1>React + Azure AD</h1>
{!accounts.length && <button onClick={login}>Login</button>}
{accounts.length && <button onClick={callApi}>Call API</button>}
<pre>{apiResponse && JSON.stringify(apiResponse, null, 2)}</pre>
</div>
);
}
export default App;
index.js:
import React from 'react';
import ReactDOM from 'react-dom/client';
import { PublicClientApplication } from '@azure/msal-browser';
import { MsalProvider } from '@azure/msal-react';
import App from './App';
const msalConfig = {
auth: {
clientId: '{Client ID}',
authority: 'https://login.microsoftonline.com/{TenantId}',
redirectUri: `${window.location.origin}`,
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false,
},
};
const msalInstance = new PublicClientApplication(msalConfig);
const root = ReactDOM.createRoot(document.getElementById('root'));
root.render(
<MsalProvider instance={msalInstance}>
<App />
</MsalProvider>
);
I added the Scope to my app registration as shown below.
Asp. net Output:
React Output:
- Use managed identity of the web app to manage b2c using graph api
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- no email in claim when logging on via Entra ID
- Azure B2C App Always Redirects to <domain>/MicrosoftIdentity/Account/Error
- How to Implement Direct Username and Password Login with Azure AD B2C in Flutter without Using Microsoft's UI?
- How to properly restrict access to an azur eweb application?
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- B2C Custom Policy: Error changing localAccountPasswordReset Content selfAsserted policy version beyond 1.1.0
- Non Verified Domain as IdntifierUri for Azure B2C IEF Application
- B2C authentication not returning access_token
- How to disable authentication during the start up of an ASP.NET Core 5 Blazor B2C application?
- Email address empty when trying to read it out at the back end
- Creating a user in Azure AD B2C through Microsoft SSO
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Error trying to add JavaScript to Azure B2C Local Signup Page
- Claim groups is not supported in Azure Active Directory Provider
- Getting access token in Blazor WASM Standalone
- Azure AD B2C password expiration
- Creating authentication flow in .NET MAUI app for Azure AD B2C
- Limit Azure Active Directory Registrations
- Custom policy to send OTP code via sendgrid gives exception about otpToVerify not being found but required
- AzureAd .NET - React running on same domain
- Azure B2C: MFA With Email. Field Blank
- How to troubleshoot RESTful endpoint response in custom policy?
- Azure AD B2C - Can I host custom UI pages on private server?
- Microsoft: Unable to resolve Configuration with the provided Issuer
- Getting Redirect URI Mismatch error in Azure AD b2C
- Trigger azure function on user registration in b2c
- Azure AD B2C IEF custom sign-up policy grab query parameters