web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Secure an external .ne...
Power Pages
Answered

Secure an external .net 5.0 WebAPI using PowerApps portal token endpoint

(0) ShareShare
ReportReport
Posted on by captainsina 21

I have a .net 5.0 WebAPI hosted in Azure appservice which needs to be called from JavaScript on a custom power apps portal page.

Both portal and Web API are currently secured using the same instance of an azure B2C.

 

Using implicit grant, I am able to make a call to <portal_url>/_services/auth/token endpoint of my portal and get current user's JWT token.

But, when I pass this token to my WebAPI (I'm adding this token to the http header of my ajax call to Web API), I get Unauthorized back from the WebAPI.

 

If I get a JWT token from the B2C directly, API accepts the token and runs successfully.

 

Do I need any specific configurations on my WebAPI side so it can successfully accept/consume the token that is returned by Portal's <portal_url>/_services/auth/token endpoint?

 

Cheers

Categories:
Power Apps portals
I have the same question (0)
  • Christian Leverenz Profile Picture
    Christian Leverenz 1,214 on at

    Hi @captainsina ,

    may be two dumb questions:

    • as i got it you need to be signed in to get a token via implicit flow. So, ist the user doing the call really logged in?
    • when i got the story right the api (your .net 5.0) has to validate and check the token. This token is to be checked against the portal and not against any other service. So, may be the token is checked against the b2c and not against the portal

    Just two quick ideas, hope it helps finding the issue,

     

    Christian

     

  • captainsina Profile Picture
    captainsina 21 on at

    @chleverenz ,

    Not dumb at all, excellent questions and thank you.

    Let me briefly explain the architecture:

    • Powerapps portal is integrated with Azure B2C (through configuration)
    • The custom API (.net 5.0) is also integrated with the same instance of B2C. 
    • The API is integrated with the B2C through configurations in appsettings.json and some initiating code in .net 5.0 Web API startup.cs. The validation of token etc. is handled by MVC framework, I do not have explicit code to decode token/verify/validate/ etc.
    • In Azure B2C, permissions are granted to portal app registration to make calls to this particular API

    Scenario:

    1. End user logs in to portal using the B2C
    2. User navigates to portal's custom page on which the API call is needed
    3. At this point, user already has a token, the JavaScript on the page calls <portal_url>/_services/auth/token endpoint and receives current user's token successfully
    4. The JavaScript then makes the call to external api and injects the token (from step 3) in http header of the ajax call
    5. API responds by unauthorized.

    If I get a token from B2C directly (using a postman call) and hardcode it in the http header of the JavaScript API call, it works fine, but when I use the token returned by portal endpoint, I get unauthorized.

     

    My assumption was since both portal and API are integrated with the same B2C instance, the token returned by portal will be accepted by API, but its not behaving that way.

     

    Question is if I need to change anything on API side for this to work.

     

    Cheers

  • Verified answer
    Christian Leverenz Profile Picture
    Christian Leverenz 1,214 on at

    Hi @captainsina ,

    i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAuthTokenSample/ExternalWebApiConsumingPortalOAuthTokenSample/App_Start/Startup.cs

    In fact, they check the token by themselves. 

    I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.

    So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.

    A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.

    Exactly what you want 🙂

    Hope the codesnippet helps a little bit,

      Christian

  • captainsina Profile Picture
    captainsina 21 on at

    Thank you,

    I have already seen that sample code and in fact that's the only one I have found so far.

    As you mentioned, they are doing it in code and this is changed a lot in .net 5.0.

    I am hoping there is a config that would take care of this by the framework in .net 5.0.

    Million dollar question is: what and where 🙂

    Cheers

  • Verified answer
    OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Hi @captainsina ,

    You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
DP_Prabh Profile Picture

DP_Prabh 51

#2
rezarizvii Profile Picture

rezarizvii 35

#3
oliver.rodrigues Profile Picture

oliver.rodrigues 29 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans