cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
captainsina
Regular Visitor

Secure an external .net 5.0 WebAPI using PowerApps portal token endpoint

I have a .net 5.0 WebAPI hosted in Azure appservice which needs to be called from JavaScript on a custom power apps portal page.

Both portal and Web API are currently secured using the same instance of an azure B2C.

 

Using implicit grant, I am able to make a call to <portal_url>/_services/auth/token endpoint of my portal and get current user's JWT token.

But, when I pass this token to my WebAPI (I'm adding this token to the http header of my ajax call to Web API), I get Unauthorized back from the WebAPI.

 

If I get a JWT token from the B2C directly, API accepts the token and runs successfully.

 

Do I need any specific configurations on my WebAPI side so it can successfully accept/consume the token that is returned by Portal's <portal_url>/_services/auth/token endpoint?

 

Cheers

2 ACCEPTED SOLUTIONS

Accepted Solutions
chleverenz
Power Participant
Power Participant

Hi @captainsina ,

i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAut...

In fact, they check the token by themselves. 

I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.

So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.

A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.

Exactly what you want 🙂

Hope the codesnippet helps a little bit,

  Christian

Have fun,
Christian
----------------------
Please do not forget to leave feedback if this post helped you. Already giving kudos is a great way of feedback when the post was helpful.
Comments on how the answer could be improved are welcome, too.

View solution in original post

Hi @captainsina ,

You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

View solution in original post

5 REPLIES 5
chleverenz
Power Participant
Power Participant

Hi @captainsina ,

may be two dumb questions:

  • as i got it you need to be signed in to get a token via implicit flow. So, ist the user doing the call really logged in?
  • when i got the story right the api (your .net 5.0) has to validate and check the token. This token is to be checked against the portal and not against any other service. So, may be the token is checked against the b2c and not against the portal

Just two quick ideas, hope it helps finding the issue,

 

Christian

 

Have fun,
Christian
----------------------
Please do not forget to leave feedback if this post helped you. Already giving kudos is a great way of feedback when the post was helpful.
Comments on how the answer could be improved are welcome, too.

@chleverenz ,

Not dumb at all, excellent questions and thank you.

Let me briefly explain the architecture:

  • Powerapps portal is integrated with Azure B2C (through configuration)
  • The custom API (.net 5.0) is also integrated with the same instance of B2C. 
  • The API is integrated with the B2C through configurations in appsettings.json and some initiating code in .net 5.0 Web API startup.cs. The validation of token etc. is handled by MVC framework, I do not have explicit code to decode token/verify/validate/ etc.
  • In Azure B2C, permissions are granted to portal app registration to make calls to this particular API

Scenario:

  1. End user logs in to portal using the B2C
  2. User navigates to portal's custom page on which the API call is needed
  3. At this point, user already has a token, the JavaScript on the page calls <portal_url>/_services/auth/token endpoint and receives current user's token successfully
  4. The JavaScript then makes the call to external api and injects the token (from step 3) in http header of the ajax call
  5. API responds by unauthorized.

If I get a token from B2C directly (using a postman call) and hardcode it in the http header of the JavaScript API call, it works fine, but when I use the token returned by portal endpoint, I get unauthorized.

 

My assumption was since both portal and API are integrated with the same B2C instance, the token returned by portal will be accepted by API, but its not behaving that way.

 

Question is if I need to change anything on API side for this to work.

 

Cheers

chleverenz
Power Participant
Power Participant

Hi @captainsina ,

i have no examplecode which i created, but there is a (yes old) version like this: https://github.com/microsoft/PowerApps-Samples/blob/master/portals/ExternalWebApiConsumingPortalOAut...

In fact, they check the token by themselves. 

I am not deep in the -net core pipilining where to set up the authentication against the implicit flow from the portals.

So, no idea whether you really have to write code or whether ists just more or less a setting for the api pipeline.

A (well bad) workaround could be, that you get a token from your b2c environment and pass ir to the call to the api. But the idea of the implicit flow was just to let the portals act as an identity provider for external apis no matter how the user signed in.

Exactly what you want 🙂

Hope the codesnippet helps a little bit,

  Christian

Have fun,
Christian
----------------------
Please do not forget to leave feedback if this post helped you. Already giving kudos is a great way of feedback when the post was helpful.
Comments on how the answer could be improved are welcome, too.

Thank you,

I have already seen that sample code and in fact that's the only one I have found so far.

As you mentioned, they are doing it in code and this is changed a lot in .net 5.0.

I am hoping there is a config that would take care of this by the framework in .net 5.0.

Million dollar question is: what and where 🙂

Cheers

Hi @captainsina ,

You would need to verify and parse the token yourself on the api side as the token that you retrieve in the portal via <portal_url>/_services/auth/token endpoint will be portal specific and different from B2C token.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results |Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 1: Community MembersSolutionsSuper UsersSolutionsPower Pages @Inogic  1   @ragavanrajan  2 @aofosu  1 @Jcook  1Open  @OliverRodrigues  1Open  @Lucas001  1Open Open    Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 2: Community MembersSolutionsSuper UsersSolutionsPower Pages @taraubianca25  2 @EmadBeshai  2 @ALP2  2@Fubar 2 @ekluth1  2@ragavanrajan 1 @mandela  1@OliverRodrigues 1 @Ajlan  1Open   @elishafxx  1    @TA_Jeremy  1    @helio1981  1       Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower PagesInogic2@EmadBeshai 6Ajlan1@ragavanrajan 4CraigWarnholtz1@Fubar 4  @Jcook 3  @OliverRodrigues2   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 4:Community MembersSolutionsSuper UsersSolutionsPower PagesHenryed071Fubar3Inogic1OliverRodrigues2JacoMathew1EmadBeshai2faruk11  TA_Jeremy1   shubhambhangale1   doug-ppc1   hubjes1  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

  On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (738)