diff --git a/aspnetcore/blazor/security/additional-scenarios.md b/aspnetcore/blazor/security/additional-scenarios.md index 864e9adf78b7..23740c25252e 100644 --- a/aspnetcore/blazor/security/additional-scenarios.md +++ b/aspnetcore/blazor/security/additional-scenarios.md @@ -551,7 +551,7 @@ Alternatively, the setting can be made in the app settings (`appsettings.json`) ```json { "AzureAd": { - "Authority": "https://login.microsoftonline.com/common/oauth2/v2.0/", + "Authority": "https://login.microsoftonline.com/common/oauth2/v2.0", ... } } diff --git a/aspnetcore/blazor/security/blazor-web-app-with-entra.md b/aspnetcore/blazor/security/blazor-web-app-with-entra.md index 92353eed044e..386a302740b6 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-entra.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-entra.md @@ -109,20 +109,33 @@ For the web API app's registration, the `Weather.Get` scope is configured in the jwtOptions.Authority = "{AUTHORITY}"; ``` -The following examples use a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee`. +The following examples use a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee` and a directory name of `contoso`. If the app is registered in an ME-ID tenant, the authority should match the issurer (`iss`) of the JWT returned by the identity provider: ```csharp -jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/"; +jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee"; +``` + +If the app is registered in a Microsoft Entra External ID tenant: + +```csharp +jwtOptions.Authority = "https://contoso.ciamlogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` If the app is registered in an AAD B2C tenant: ```csharp -jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` + + +> [!NOTE] +> Azure Active Directory B2C is no longer available as a service to new customers as of May 1, 2025. AAD B2C tenants are supported for customers with accounts established prior to May 1, 2025 until 2030. For more information, see [Azure AD B2C: Frequently asked questions (FAQ)](/azure/active-directory-b2c/faq). + sets the Audience for any received JWT access token. ```csharp @@ -131,7 +144,7 @@ jwtOptions.Audience = "{AUDIENCE}"; Match the value to just the path of the **Application ID URI** configured when adding the `Weather.Get` scope under **Expose an API** in the Entra or Azure portal. Don't include the scope name, "`Weather.Get`," in the value. -The following examples use an Application (Client) Id of `11112222-bbbb-3333-cccc-4444dddd5555`. The second example uses a tenant domain of `contoso.onmicrosoft.com`. +The following examples use an Application (Client) Id of `11112222-bbbb-3333-cccc-4444dddd5555`. The third example uses a tenant domain of `contoso.onmicrosoft.com`. ME-ID tenant example: @@ -139,6 +152,12 @@ ME-ID tenant example: jwtOptions.Audience = "api://11112222-bbbb-3333-cccc-4444dddd5555"; ``` +Microsoft Entra External ID tenant: + +```csharp +jwtOptions.Audience = "11112222-bbbb-3333-cccc-4444dddd5555"; +``` + AAD B2C tenant example: ```csharp @@ -151,6 +170,15 @@ jwtOptions.Audience = "https://contoso.onmicrosoft.com/11112222-bbbb-3333-cccc-4 Obtain the application (client) ID, tenant (publisher) domain, and directory (tenant) ID from the app's registration in the Entra or Azure portal. The App ID URI is obtained for the `Weather.Get` scope from the web API's registration. Don't include the scope name when taking the App ID URI from the portal. +The authentication configuration depends on the type of tenant: + +* [ME-ID tenant configuration](#me-id-tenant-configuration) +* [Microsoft Entra External ID configuration](#microsoft-entra-external-id-configuration) + +### ME-ID tenant configuration + +*This section applies to an app registered in a Microsoft Entra ID or Azure AAD B2C tenant.* + In the `BlazorWebAppEntra` project's `Program` file, provide the values for the following placeholders in Microsoft Identity Web configuration: ```csharp @@ -168,7 +196,7 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddDownstreamApi("DownstreamApi", configOptions => { configOptions.BaseUrl = "{BASE ADDRESS}"; - configOptions.Scopes = [ "{APP ID URI}/Weather.Get" ]; + configOptions.Scopes = ["{APP ID URI}/Weather.Get"]; }) .AddDistributedTokenCaches(); ``` @@ -200,7 +228,60 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddDownstreamApi("DownstreamApi", configOptions => { configOptions.BaseUrl = "https://localhost:7277"; - configOptions.Scopes = [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ]; + configOptions.Scopes = ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; + }) + .AddDistributedTokenCaches(); +``` + +### Microsoft Entra External ID configuration + +*This section applies to an app registered in a Microsoft Entra External ID tenant.* + +In the `BlazorWebAppEntra` project's `Program` file, provide the values for the following placeholders in Microsoft Identity Web configuration: + +```csharp +builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApp(msIdentityOptions => + { + msIdentityOptions.CallbackPath = "/signin-oidc"; + msIdentityOptions.Authority = "https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0"; + msIdentityOptions.ClientId = "{CLIENT ID (BLAZOR APP)}"; + msIdentityOptions.ResponseType = "code"; + }) + .EnableTokenAcquisitionToCallDownstreamApi() + .AddDownstreamApi("DownstreamApi", configOptions => + { + configOptions.BaseUrl = "{BASE ADDRESS}"; + configOptions.Scopes = ["{APP ID URI}/Weather.Get"]; + }) + .AddDistributedTokenCaches(); +``` + +Placeholders in the preceding configuration: + +* `{DIRECTORY NAME}`: The directory name of the tenant (publisher) domain. +* `{CLIENT ID (BLAZOR APP)}`: The application (client) ID. +* `{BASE ADDRESS}`: The web API's base address. +* `{APP ID URI}`: The App ID URI for web API scopes. Either of the following formats are used, where the `{CLIENT ID (WEB API)}` placeholder is the Client Id of the web API's Entra registration, and the `{DIRECTORY NAME}` placeholder is the directory name of the tenant (publisher) domain (example: `contoso`). + * ME-ID or Microsoft Entra External ID tenant format: `api://{CLIENT ID (WEB API)}` + * B2C tenant format: `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API)}` + +Example: + +```csharp +builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApp(msIdentityOptions => + { + msIdentityOptions.CallbackPath = "/signin-oidc"; + msIdentityOptions.Authority = "https://contoso.ciamlogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; + msIdentityOptions.ClientId = "00001111-aaaa-2222-bbbb-3333cccc4444"; + msIdentityOptions.ResponseType = "code"; + }) + .EnableTokenAcquisitionToCallDownstreamApi() + .AddDownstreamApi("DownstreamApi", configOptions => + { + configOptions.BaseUrl = "https://localhost:7277"; + configOptions.Scopes = ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; }) .AddDistributedTokenCaches(); ``` @@ -317,20 +398,33 @@ For the web API app's registration, the `Weather.Get` scope is configured in the jwtOptions.Authority = "{AUTHORITY}"; ``` -The following examples use a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee`. +The following examples use a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee` and a directory name of `contoso`. If the app is registered in an ME-ID tenant, the authority should match the issurer (`iss`) of the JWT returned by the identity provider: ```csharp -jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/"; +jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee"; +``` + +If the app is registered in a Microsoft Entra External ID tenant: + +```csharp +jwtOptions.Authority = "https://contoso.ciamlogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` If the app is registered in an AAD B2C tenant: ```csharp -jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` + + +> [!NOTE] +> Azure Active Directory B2C is no longer available as a service to new customers as of May 1, 2025. AAD B2C tenants are supported for customers with accounts established prior to May 1, 2025 until 2030. For more information, see [Azure AD B2C: Frequently asked questions (FAQ)](/azure/active-directory-b2c/faq). + sets the Audience for any received JWT access token. ```csharp @@ -339,7 +433,7 @@ jwtOptions.Audience = "{AUDIENCE}"; Match the value to just the path of the **Application ID URI** configured when adding the `Weather.Get` scope under **Expose an API** in the Entra or Azure portal. Don't include the scope name, "`Weather.Get`," in the value. -The following examples use an Application (Client) Id of `11112222-bbbb-3333-cccc-4444dddd5555`. The second example uses a tenant domain of `contoso.onmicrosoft.com`. +The following examples use an Application (Client) Id of `11112222-bbbb-3333-cccc-4444dddd5555`. The third example uses a tenant domain of `contoso.onmicrosoft.com`. ME-ID tenant example: @@ -347,6 +441,12 @@ ME-ID tenant example: jwtOptions.Audience = "api://11112222-bbbb-3333-cccc-4444dddd5555"; ``` +Microsoft Entra External ID tenant: + +```csharp +jwtOptions.Audience = "11112222-bbbb-3333-cccc-4444dddd5555"; +``` + AAD B2C tenant example: ```csharp @@ -359,6 +459,15 @@ jwtOptions.Audience = "https://contoso.onmicrosoft.com/11112222-bbbb-3333-cccc-4 Obtain the application (client) ID, tenant (publisher) domain, and directory (tenant) ID from the app's registration in the Entra or Azure portal. The App ID URI is obtained for the `Weather.Get` scope from the web API's registration. Don't include the scope name when taking the App ID URI from the portal. +The authentication configuration depends on the type of tenant: + +* [ME-ID tenant configuration](#me-id-tenant-configuration) +* [Microsoft Entra External ID configuration](#microsoft-entra-external-id-configuration) + +### ME-ID tenant configuration + +*This section applies to an app registered in a Microsoft Entra ID or Azure AAD B2C tenant.* + In the `BlazorWebAppEntra` project's `Program` file, provide the values for the following placeholders in Microsoft Identity Web configuration: ```csharp @@ -376,7 +485,7 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddDownstreamApi("DownstreamApi", configOptions => { configOptions.BaseUrl = "{BASE ADDRESS}"; - configOptions.Scopes = [ "{APP ID URI}/Weather.Get" ]; + configOptions.Scopes = ["{APP ID URI}/Weather.Get"]; }) .AddDistributedTokenCaches(); ``` @@ -384,7 +493,7 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) Provide the same downstream API scope to the request transformer: ```csharp -List scopes = [ "{APP ID URI}/Weather.Get" ]; +List scopes = ["{APP ID URI}/Weather.Get"]; ``` Placeholders in the preceding configuration: @@ -415,7 +524,72 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) { configOptions.BaseUrl = "https://localhost:7277"; configOptions.Scopes = - [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ]; + ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; + }) + .AddDistributedTokenCaches(); +``` + +Example: + +```csharp +List scopes = ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; +``` + +### Microsoft Entra External ID configuration + +*This section applies to an app registered in a Microsoft Entra External ID tenant.* + +In the `BlazorWebAppEntra` project's `Program` file, provide the values for the following placeholders in Microsoft Identity Web configuration: + +```csharp +builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApp(msIdentityOptions => + { + msIdentityOptions.CallbackPath = "/signin-oidc"; + msIdentityOptions.Authority = "https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0"; + msIdentityOptions.ClientId = "{CLIENT ID (BLAZOR APP)}"; + msIdentityOptions.ResponseType = "code"; + }) + .EnableTokenAcquisitionToCallDownstreamApi() + .AddDownstreamApi("DownstreamApi", configOptions => + { + configOptions.BaseUrl = "{BASE ADDRESS}"; + configOptions.Scopes = ["{APP ID URI}/Weather.Get"]; + }) + .AddDistributedTokenCaches(); +``` + +Provide the same downstream API scope to the request transformer: + +```csharp +List scopes = ["{APP ID URI}/Weather.Get"]; +``` + +Placeholders in the preceding configuration: + +* `{DIRECTORY NAME}`: The directory name of the tenant (publisher) domain. +* `{CLIENT ID (BLAZOR APP)}`: The application (client) ID. +* `{BASE ADDRESS}`: The web API's base address. +* `{APP ID URI}`: The App ID URI for web API scopes. Either of the following formats are used, where the `{CLIENT ID (WEB API)}` placeholder is the Client Id of the web API's Entra registration, and the `{DIRECTORY NAME}` placeholder is the directory name of the tenant (publishers) domain (example: `contoso`). + * ME-ID or Microsoft Entra External ID tenant format: `api://{CLIENT ID (WEB API)}` + * B2C tenant format: `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API)}` + +Example: + +```csharp +builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApp(msIdentityOptions => + { + msIdentityOptions.CallbackPath = "/signin-oidc"; + msIdentityOptions.Authority = "https://contoso.ciamlogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; + msIdentityOptions.ClientId = "00001111-aaaa-2222-bbbb-3333cccc4444"; + msIdentityOptions.ResponseType = "code"; + }) + .EnableTokenAcquisitionToCallDownstreamApi() + .AddDownstreamApi("DownstreamApi", configOptions => + { + configOptions.BaseUrl = "https://localhost:7277"; + configOptions.Scopes = ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; }) .AddDistributedTokenCaches(); ``` @@ -423,7 +597,7 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) Example: ```csharp -List scopes = [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ]; +List scopes = ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"]; ``` :::zone-end @@ -591,7 +765,7 @@ In the app settings file (`appsettings.json`) of the `BlazorWebAppEntra` project }, "DownstreamApi": { "BaseUrl": "{BASE ADDRESS}", - "Scopes": [ "{APP ID URI}/Weather.Get" ] + "Scopes": ["{APP ID URI}/Weather.Get"] } } ``` @@ -619,7 +793,7 @@ Example: }, "DownstreamApi": { "BaseUrl": "https://localhost:7277", - "Scopes": [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ] + "Scopes": ["api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get"] } ``` @@ -645,7 +819,7 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) - .AddDownstreamApi("DownstreamApi", configOptions => - { - configOptions.BaseUrl = "..."; -- configOptions.Scopes = [ "..." ]; +- configOptions.Scopes = ["..."]; - }) + .AddDownstreamApi("DownstreamApi", builder.Configuration.GetSection("DownstreamApi")) .AddDistributedTokenCaches(); @@ -669,8 +843,8 @@ In the `MinimalApiJwt` project, add the following app settings configuration to "Authentication": { "Schemes": { "Bearer": { - "Authority": "https://sts.windows.net/{TENANT ID (WEB API)}/", - "ValidAudiences": [ "{APP ID URI (WEB API)}" ] + "Authority": "https://sts.windows.net/{TENANT ID (WEB API)}", + "ValidAudiences": ["{APP ID URI (WEB API)}"] } } }, @@ -683,12 +857,14 @@ Update the placeholders in the preceding configuration to match the values that Authority formats adopt the following patterns: -* ME-ID tenant type: `https://sts.windows.net/{TENANT ID}/` -* B2C tenant type: `https://login.microsoftonline.com/{TENANT ID}/v2.0/` +* ME-ID tenant type: `https://sts.windows.net/{TENANT ID}` +* Microsoft Entra External ID: `https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0` +* B2C tenant type: `https://login.microsoftonline.com/{TENANT ID}/v2.0` Audience formats adopt the following patterns (`{CLIENT ID}` is the Client Id of the web API; `{DIRECTORY NAME}` is the directory name, for example, `contoso`): * ME-ID tenant type: `api://{CLIENT ID}` +* Microsoft Entra External ID: `{CLIENT ID}` * B2C tenant type: `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}` The configuration is automatically picked up by the JWT bearer authentication builder. diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index 880281e59a81..d9586f34203f 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -164,13 +164,13 @@ The format of the Authority depends on the type of tenant in use. The following ME-ID tenant Authority example: ```csharp -jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/"; +jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee"; ``` AAD B2C tenant Authority example: ```csharp -jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` The sets the Audience for any received OIDC token. @@ -296,14 +296,14 @@ oidcOptions.ClientId = "{CLIENT ID}"; The following example uses a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee` and a Client ID of `00001111-aaaa-2222-bbbb-3333cccc4444`: ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; oidcOptions.ClientId = "00001111-aaaa-2222-bbbb-3333cccc4444"; ``` For multi-tenant apps, the "common" authority should be used. You can also use the "common" authority for single-tenant apps, but a custom is required, as shown later in this section. ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0"; ``` : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. @@ -511,13 +511,13 @@ The format of the Authority depends on the type of tenant in use. The following ME-ID tenant Authority example: ```csharp -jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/"; +jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee"; ``` AAD B2C tenant Authority example: ```csharp -jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` The sets the Audience for any received OIDC token. @@ -677,14 +677,14 @@ oidcOptions.ClientId = "{CLIENT ID}"; The following example uses a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee` and a Client ID of `00001111-aaaa-2222-bbbb-3333cccc4444`: ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; oidcOptions.ClientId = "00001111-aaaa-2222-bbbb-3333cccc4444"; ``` For multi-tenant apps, the "common" authority should be used. You can also use the "common" authority for single-tenant apps, but a custom is required, as shown later in this section. ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0"; ``` : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. @@ -914,13 +914,13 @@ The format of the Authority depends on the type of tenant in use. The following ME-ID tenant Authority example: ```csharp -jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/"; +jwtOptions.Authority = "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee"; ``` AAD B2C tenant Authority example: ```csharp -jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +jwtOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; ``` The sets the Audience for any received OIDC token. @@ -1016,14 +1016,14 @@ oidcOptions.ClientId = "{CLIENT ID}"; The following example uses a Tenant ID of `aaaabbbb-0000-cccc-1111-dddd2222eeee` and a Client ID of `00001111-aaaa-2222-bbbb-3333cccc4444`: ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0"; oidcOptions.ClientId = "00001111-aaaa-2222-bbbb-3333cccc4444"; ``` For multi-tenant apps, the "common" authority should be used. You can also use the "common" authority for single-tenant apps, but a custom is required, as shown later in this section. ```csharp -oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0/"; +oidcOptions.Authority = "https://login.microsoftonline.com/common/v2.0"; ``` : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. @@ -1135,7 +1135,7 @@ In the app settings file (`appsettings.json`) of the `BlazorWebAppOidc` or `Blaz "Authentication": { "Schemes": { "MicrosoftOidc": { - "Authority": "https://login.microsoftonline.com/{TENANT ID (BLAZOR APP)}/v2.0/", + "Authority": "https://login.microsoftonline.com/{TENANT ID (BLAZOR APP)}/v2.0", "ClientId": "{CLIENT ID (BLAZOR APP)}", "CallbackPath": "/signin-oidc", "SignedOutCallbackPath": "/signout-callback-oidc", @@ -1158,7 +1158,7 @@ Update the placeholders in the preceding configuration to match the values that * `{CLIENT ID (BLAZOR APP)}`: The Client Id of the Blazor app. * `{APP ID URI (WEB API)}`: The App ID URI of the web API. -The "common" Authority (`https://login.microsoftonline.com/common/v2.0/`) should be used for multi-tenant apps. To use the "common" Authority for single-tenant apps, see the [Use the "common" Authority for single-tenant apps](#use-the-common-authority-for-single-tenant-apps) section. +The "common" Authority (`https://login.microsoftonline.com/common/v2.0`) should be used for multi-tenant apps. To use the "common" Authority for single-tenant apps, see the [Use the "common" Authority for single-tenant apps](#use-the-common-authority-for-single-tenant-apps) section. Update any other values in the preceding configuration to match custom/non-default values used in the `Program` file. @@ -1188,7 +1188,7 @@ In the `MinimalApiJwt` project, add the following app settings configuration to "Authentication": { "Schemes": { "Bearer": { - "Authority": "https://sts.windows.net/{TENANT ID (WEB API)}/", + "Authority": "https://sts.windows.net/{TENANT ID (WEB API)}", "ValidAudiences": [ "{APP ID URI (WEB API)}" ] } } @@ -1202,12 +1202,14 @@ Update the placeholders in the preceding configuration to match the values that Authority formats adopt the following patterns: -* ME-ID tenant type: `https://sts.windows.net/{TENANT ID}/` -* B2C tenant type: `https://login.microsoftonline.com/{TENANT ID}/v2.0/` +* ME-ID tenant type: `https://sts.windows.net/{TENANT ID}` +* Microsoft Entra External ID: `https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0` +* B2C tenant type: `https://login.microsoftonline.com/{TENANT ID}/v2.0` Audience formats adopt the following patterns (`{CLIENT ID}` is the Client Id of the web API; `{DIRECTORY NAME}` is the directory name, for example, `contoso`): * ME-ID tenant type: `api://{CLIENT ID}` +* Microsoft Entra External ID: `{CLIENT ID}` * B2C tenant type: `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}` The configuration is automatically picked up by the JWT bearer authentication builder. diff --git a/aspnetcore/blazor/security/webassembly/additional-scenarios.md b/aspnetcore/blazor/security/webassembly/additional-scenarios.md index be072a5cd516..08304606a178 100644 --- a/aspnetcore/blazor/security/webassembly/additional-scenarios.md +++ b/aspnetcore/blazor/security/webassembly/additional-scenarios.md @@ -1341,7 +1341,7 @@ Alternatively, the setting can be made in the app settings (`appsettings.json`) ```json { "Local": { - "Authority": "https://login.microsoftonline.com/common/oauth2/v2.0/", + "Authority": "https://login.microsoftonline.com/common/oauth2/v2.0", ... } }