I am trying to configure Azure AD B2C authentication with my Web API and although it builds and compiles fine, after passing in a token with a request, it logs:
... has a valid signature.
Lifetime of the token is valid.
Audience validated.
Creating claims from the validated token
But in the controller, the value of User.IsAuthenticated is false.
This is the controller:
using Microsoft.AspNetCore.Mvc;
using SoundShowdownAPI.Models;
namespace SoundShowdownAPI.Controllers
{
[ApiController]
[Route("[controller]")]
public class UsersController : ControllerBase
{
private readonly ILogger<UsersController> _logger;
public UsersController(ILogger<UsersController> logger)
{
_logger = logger;
}
[Route("me")]
[HttpGet]
public User Me()
{
var user = new User();
user.Name = this.User.Identity.Name;
user.Email = "unimplemented";
return user;
}
}
}
This is the program.cs file:
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
using Microsoft.IdentityModel.Logging;
using System.Security.Principal;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
// Set up authentication via Microsoft Identity
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options =>
{
builder.Configuration.Bind("AzureAdB2C", options);
options.TokenValidationParameters.NameClaimType = "name";
},
options =>
{
builder.Configuration.Bind("AzureAdB2C", options);
});
builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
IdentityModelEventSource.ShowPII = true;
IdentityModelEventSource.LogCompleteSecurityArtifact = true;
app.Run();
This is the appsettings.json file:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"AzureAdB2C": {
"Instance": "https://jfgamesinc.b2clogin.com/",
"Domain": "jfgamesinc.onmicrosoft.com",
"ClientId": "989ba9ff-890c-41e7-b8e9-3a3b63f575fb",
"SignUpSignInPolicyId": "B2C_1_SignUpIn"
}
}
3
As I see it, the User class referenced in the question (User.IsAuthenticated) is a custom class from the custom namespace SoundShowdownAPI.Models, and that class has an IsAuthenticated boolean property.
It may be set implicitly, but it doesn’t look that way, and the false value of the IsAuthenticated property is a default boolean value that is set after a new object of the User class is created.
Also, it’s not specified that User.Identity.Name value is null/empty/throw an error, so I assume it has a value and the user’s identity object exists.
Hence, try to check the IsAuthenticated property of the primary claims identity (User.Identity.IsAuthenticated) and set the IsAuthenticated property of the custom User class explicitly:
user.IsAuthenticated = User.Identity.IsAuthenticated;
The last but not related to the question: remember to set the [Authorize] attribute at the controller or method level
4