b2c limitations - mattchenderson/microsoft-identity-web GitHub Wiki

Azure AD B2C limitations

Microsoft.Identity.Web makes the experience of developing web apps and web APIs for Azure AD and Azure AD B2C very similar. There are, however, limitations of the Azure AD B2C service which Microsoft.Identity.Web cannot work around:

Azure AD B2C protected web APIs cannot call downstream APIs

As explained in Request an access token in Azure Active Directory B2C, Azure AD B2C does not support the On behalf of flow used in web APIs calling downwstream APIs. This means that Azure AD B2C Web Apis won't be able to call downstream web apis. Therefore, if you try to use ITokenAcquisition.GetTokenForUserAsync or IDownstreamApi.CallWebApiForUserAsync, you'll get the following exception

MSAL.NetCore.4.25.0.0.MsalServiceException: 
	ErrorCode: unsupported_grant_type
Microsoft.Identity.Client.MsalServiceException: AADB2C90086: The supplied grant_type [urn:ietf:params:oauth:grant-type:jwt-bearer] is not supported

The project webapi project template in .NET Core 5 (or webapi2 in Microsoft.Identity.Web.ProjectTemplates NuGet package) is aware of this limitation and does not propose code that would call a downstream API.

image

All the scopes need to be requested upfront

With Azure AD B2C, there is no incremental consent. The scopes need to all be requested when the user signs-in.

You cannot use ITokenAcquisition.GetTokenForAppAsync or IDownstreamApi.CallWebApiForAppAsync in Azure AD B2C web apps.

Azure AD B2C does not support the Client credentials flow used in daemon scenarios. Therefore you won't be able to use GetTokenForAppAsync ITokenAcquisition.GetTokenForAppAsync or IDownstreamApi.CallWebApiForAppAsync in Azure AD B2C web apps.

Old limitations now fixed

Azure AD B2C web apps van now call several web APIS

Azure AD B2C web apps could not call several web APIs without the users re-signing-in. This means that you'll need to handle the user challenge. See Managing incremental consent and conditional access~~

A recent change in B2C makes it possible to acquire tokens successively for different web APIs

In other words, with B2C, it's now possible to trade a refresh token for a new access token for a different resource as it is in AAD.