From 586f12dc8b477cce873d49378fa1a88c8a3702f2 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:15:58 -0400 Subject: [PATCH 1/3] Update scope/authority guidance in BWA+OIDC article --- .../security/blazor-web-app-with-oidc.md | 40 ++++++++++++++----- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index d30672fd16a4..e4d83af027b1 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -317,20 +317,30 @@ The following ): The `Weather.Get` scope is configured in the Azure or Entra portal under **Expose an API**. This is necessary for backend web API project (`MinimalApiJwt`) to validate the access token with bearer JWT. ```csharp - oidcOptions.Scope.Add("{SCOPE}"); + oidcOptions.Scope.Add("{APP ID URI}/{API NAME}"); ``` - Example (`{SCOPE}`): + Example: + + * App ID URI (`{APP ID URI}`): `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}` + * Directory Name (`{DIRECTORY NAME}`): `contoso` + * Application (Client) Id (`{CLIENT ID}`): `4ba4de56-9cef-45d9-83fa-a4c18f9f5f0f` + * Scope configured for weather data from `MinimalApiJwt` (`{API NAME}`): `Weather.Get` ```csharp oidcOptions.Scope.Add("https://contoso.onmicrosoft.com/4ba4de56-9cef-45d9-83fa-a4c18f9f5f0f/Weather.Get"); ``` - The preceding example uses: + The preceding example pertains to an app registered in a tenant with an AAD B2C tenant type. If the app is registered in an ME-ID tenant, the App ID URI is different, thus the scope is different. + + Example: - * Directory name: `contoso` - * Client Id: `4ba4de56-9cef-45d9-83fa-a4c18f9f5f0f` - * Scope configured for weather data from `MinimalApiJwt`: `Weather.Get` + * App ID URI (`{APP ID URI}`): `api://{CLIENT ID}` with Application (Client) Id (`{CLIENT ID}`): `4ba4de56-9cef-45d9-83fa-a4c18f9f5f0f` + * Scope configured for weather data from `MinimalApiJwt` (`{API NAME}`): `Weather.Get` + + ```csharp + oidcOptions.Scope.Add("api://4ba4de56-9cef-45d9-83fa-a4c18f9f5f0f/Weather.Get"); + ``` * and : Sets the Authority and Client ID for OIDC calls. @@ -491,15 +501,27 @@ Configure the project in the : Sets the Authority for making OpenID Connect calls. Match the value to the Authority configured for the OIDC handler in `BlazorWebAppOidc/Program.cs`: From b0e25e7584957f16855e099f648ec2a7ecea06e5 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:18:34 -0400 Subject: [PATCH 2/3] Updates --- aspnetcore/blazor/security/blazor-web-app-with-oidc.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index e4d83af027b1..8ea4d9d95f4b 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -506,9 +506,10 @@ Configure the project in the Date: Tue, 26 Mar 2024 16:21:58 -0400 Subject: [PATCH 3/3] Updates --- aspnetcore/blazor/security/blazor-web-app-with-oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index 8ea4d9d95f4b..3c7557eabfc8 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -515,7 +515,7 @@ Configure the project in the