无法使用 Azure B2C 获取 AccessToken，IdToken 存在但没有范围权限

Question

我正在关注this 教程以使用 Azure B2C 设置客户端/服务器。

我认为我做的一切都是正确的，但我遇到了几个问题。

1. AccessToken 为空，但 IdToken 已填充

当我尝试访问受保护的资源时，我在https://login.microsoftonline.com 登录后会执行以下代码。以下行失败，因为 AccessToken 是 null：

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

TaskWebApp.Controllers.TaskController.cs（客户端应用）：

public async Task<ActionResult> Index()
{
    try
    {
        // Retrieve the token with the specified scopes
        var scope = new string[] { Startup.ReadTasksScope };
        string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        TokenCache userTokenCache = new MSALSessionCache(signedInUserID, this.HttpContext).GetMsalCacheInstance();
        ConfidentialClientApplication cca = new ConfidentialClientApplication(Startup.ClientId, Startup.Authority, Startup.RedirectUri, new ClientCredential(Startup.ClientSecret), userTokenCache, null);

        var user = cca.Users.FirstOrDefault();
        if (user == null)
        {
            throw new Exception("The User is NULL.  Please clear your cookies and try again.  Specifically delete cookies for 'login.microsoftonline.com'.  See this GitHub issue for more details: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/issues/9");
        }

        AuthenticationResult result = await cca.AcquireTokenSilentAsync(scope, user, Startup.Authority, false);

        HttpClient client = new HttpClient();
        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, apiEndpoint);

        // Add token to the Authorization header and make the request
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken); //AccessToken null - crash
        //request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.IdToken); //This does work however
    }
    ...
}

result AquireTokenSilentAsync的内容：

1. IdToken 不包含 Scope 权限

如果我使用IdToken 代替AccessToken - 我会走得更远，但我遇到了一个新的绊脚石。它在这里失败了：

TaskService.Controllers.TasksController.cs (WebAPI)：

public const string scopeElement = "http://schemas.microsoft.com/identity/claims/scope";

private void HasRequiredScopes(String permission)
{
    if (!ClaimsPrincipal.Current.FindFirst(scopeElement).Value.Contains(permission)) //Crashes here as token doesn't contain scopeElement
    {
        throw new HttpResponseException(new HttpResponseMessage
        {
            StatusCode = HttpStatusCode.Unauthorized,
            ReasonPhrase = $"The Scope claim does not contain the {permission} permission."
        });
    }
}

这是我ClaimsPrincipal.Current的截图：

感谢任何建议。

编辑

登录网址：

https://login.microsoftonline.com/te/turtlecorptesting.onmicrosoft.com/b2c_1_email/oauth2/v2.0/authorize?client_id=03ef2bd...&redirect_uri=https%3a%2f%2flocalhost%3a44316%2f&response_mode=form_post&response_type=code+id_token&scope=openid+profile+offline_access+https%3a%2f%2fturtlecorptesting.onmicrosoft.com%2fread+https%3a%2f%2fturtlecorptesting.onmicrosoft.com%2fwrite&state=OpenIdConnect.AuthenticationProperties%3daDQntAuD0Vh=...&nonce=63655.....YWRmMWEwZDc.....

Answer 1

1. 在 Azure AD B2C 下转到您的应用程序

1. 在 API 访问下单击添加，选择您的 API 及其范围

您现在应该在响应中获得 AccessToken。