This is my first time using Azure AD B2C as the user authentication back-end in any of my projects. I'm brand new to the concepts and am trying to piece together my understanding of them.

I'm using the Azure AD B2C service. I'm developing a set of applications that all will ultimately use B2C as the user authentication engine. For example, I have an ASP.NET Core API server that exposes my back-end SQL data to end-users. I have a JavaScript React application that uses the B2C implicit workflow to authenticate and get tokens from. Last, I have a C# desktop application that uses the resource owner password credentials flow to obtain my B2C tokens.

So, as you can see, I have several different B2C applications of different types. I have a web app that can leverage the implicit interactive workflow. I have a desktop application that can leverage the ROPC workflow to get the tokens. I have the web server that I need to verify the tokens.

My confusion is regarding my back-end API server and its own validation of the provided B2C bearer tokens from users.

It's my understanding that I need to configure my API server so that it requires a particular policy, as the authority, to have issued the token. That's simple enough - I currently just have it expect the interactive, default B2C-provided sign in policy.

My web application, the browser-based React application, can simply use that same sign in policy user flow and provide the access token to the API server and everything works because both use the same policy as the issuer / authority.

My GUI application though does not use that same sign in policy, it uses the ROPC policy which fails to pass the API server's authority check because the server expects the sign in policy to have granted the token.

My question is ...

How do I reconcile all these policies? Am I correct in thinking that my various "client applications" should be free to generate tokens via whichever policy (user flow) makes sense for them? But then which policy should my API server use as the authority since it requires one single policy to have been used?

The issuer URL should be same for all policies in the same tenant.

https://{tenant-name}.b2clogin.com/{tenant-id}/v2.0/

Example:

https://fabrikamb2c.b2clogin.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/

This means that you can configure any authority with the API server and it should validate tokens that are issued for any policy.

@Ryan, your ASP.NET Core 2.1 Web API can decide how to validate the tokens by using TokenValidationParameters. For instance, I have not checked for the B2C specific case, but I suspect that the difference will come from the issuers.

This sample shows how to override the default validation of issuers: active-directory-aspnetcore-webapp-openidconnect-v2, branch aspnetcore2-2-signInAndCallGraph, in Startup.cs line 61

options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.ValidateAadIssuer;

and then the AadIssuerValidator.ValidateAadIssuer method can be found here in AadIssuerValidator.cs

This one does accept any AAD organizations provided the token comes from Azure AD (v1.0 or v2.0 endpoint). I would think you could adapt it to the B2C case, accepting your host (something.b2clogin.com ?) ?

You'll also find more information in the TokenValidation article of Microsoft.Identity extensions for .NET wiki