一个使用 Azure AD B2C 的多个客户端 ID（应用程序 ID）的 ASP.NET Core 2.2 Web API 应用程序

Question

I have ASP.NET 2.2 Web API App using Azure AD B2C for auth

I have three roles requirements. Each role has different Azure AD B2C policies and a user can have one and only one role.

Currently adding roles with B2C is convoluted:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10123836-get-user-membership-groups-in-the-claims-with-ad-b

Authorize By Group in Azure Active Directory B2C

And to solve the role and policies per role, I am considering having multiple Azure AD B2C Applications within one ASP.NET Core Web API.

My ASP.NET Config for Azure AD B2C in the Startup.cs looks as follow:

services.AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
.AddAzureADB2CBearer(o => Configuration.Bind("AzureAdB2C", o));

Is having multiple Azure AD B2C ClientIDs (Application IDs) possible in ASP.NET Core? Are there libraries to do so? Do you have a better suggestion?

Answer 1

I would suggest to get user's group information in one of the notification function s(for example , SecurityTokenValidated) and add claim to the ClaimsPrincipal. You can click here for code sample .

If you register multi applications , if using OAuth 2.0 code grant flow , when redirecting user to Azure AD's login page you should provide the client id , how do you know which client id you should use before knowing who is the current user ? Unless you create extra page to let user choose which client he want to login , and then add an OpenIdConnectEvents handler for the OnRedirectToIdentityProvider event and replace the ClientId property there .