Answered

Secure an external .net 5.0 WebAPI using PowerApps portal token endpoint

(0) Share

Report

Posted on by captainsina

I have a .net 5.0 WebAPI hosted in Azure appservice which needs to be called from JavaScript on a custom power apps portal page.

Both portal and Web API are currently secured using the same instance of an azure B2C.

Using implicit grant, I am able to make a call to <portal_url>/_services/auth/token endpoint of my portal and get current user's JWT token.

But, when I pass this token to my WebAPI (I'm adding this token to the http header of my ajax call to Web API), I get Unauthorized back from the WebAPI.

If I get a JWT token from the B2C directly, API accepts the token and runs successfully.

Do I need any specific configurations on my WebAPI side so it can successfully accept/consume the token that is returned by Portal's <portal_url>/_services/auth/token endpoint?

Cheers

Categories:

Power Apps portals

I have the same question (0)

All responses (5)

Answers (2)

Christian Leverenz 1,214 on at

Like (0)

Report
Hi @captainsina ,
may be two dumb questions:
as i got it you need to be signed in to get a token via implicit flow. So, ist the user doing the call really logged in?
when i got the story right the api (your .net 5.0) has to validate and check the token. This token is to be checked against the portal and not against any other service. So, may be the token is checked against the b2c and not against the portal
Just two quick ideas, hope it helps finding the issue,

Christian

Was this reply helpful? Yes No
captainsina 21 on at

Like (1)

Report
@chleverenz ,
Not dumb at all, excellent questions and thank you.
Let me briefly explain the architecture:
Powerapps portal is integrated with Azure B2C (through configuration)
The custom API (.net 5.0) is also integrated with the same instance of B2C.
The API is integrated with the B2C through configurations in appsettings.json and some initiating code in .net 5.0 Web API startup.cs. The validation of token etc. is handled by MVC framework, I do not have explicit code to decode token/verify/validate/ etc.
In Azure B2C, permissions are granted to portal app registration to make calls to this particular API
Scenario:
End user logs in to portal using the B2C
User navigates to portal's custom page on which the API call is needed
At this point, user already has a token, the JavaScript on the page calls <portal_url>/_services/auth/token endpoint and receives current user's token successfully
The JavaScript then makes the call to external api and injects the token (from step 3) in http header of the ajax call
API responds by unauthorized.
If I get a token from B2C directly (using a postman call) and hardcode it in the http header of the JavaScript API call, it works fine, but when I use the token returned by portal endpoint, I get unauthorized.

My assumption was since both portal and API are integrated with the same B2C instance, the token returned by portal will be accepted by API, but its not behaving that way.

Question is if I need to change anything on API side for this to work.

Cheers

Was this reply helpful? Yes No
Verified answer

Christian Leverenz 1,214 on at

Like (1)

Report

Hi @captainsina ,
i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAuthTokenSample/ExternalWebApiConsumingPortalOAuthTokenSample/App_Start/Startup.cs
In fact, they check the token by themselves.
I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.
So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.
A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.
Exactly what you want 🙂
Hope the codesnippet helps a little bit,
Christian

Was this reply helpful? Yes No
captainsina 21 on at

Like (1)

Report

Thank you,
I have already seen that sample code and in fact that's the only one I have found so far.
As you mentioned, they are doing it in code and this is changed a lot in .net 5.0.
I am hoping there is a config that would take care of this by the framework in .net 5.0.
Million dollar question is: what and where 🙂
Cheers

Was this reply helpful? Yes No
Verified answer

OOlashyn 3,496 Most Valuable Professional on at

Like (2)

Report

Hi @captainsina ,

You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

Was this reply helpful? Yes No