This issue is for a: (mark with an x
)
- [ ] bug report -> please search issues before submitting
- [ ] question
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
I am trying to adapt the example to use a Function App (it works just fine when using defaults). I can follow all the steps given, but
1 - I cannot find explicit instructions on how to enable Authentication in the Function App
2 - When I do what seems obvious (see below), the connection to the Function App fails (with a 401 error, as configured in step 1)
3 - When I ask (basic tier) MS support for help, describing what I did (basically, the info below in "any other details") they said everything seemed correct and suggested I open an issue here.
Any log messages given by the failure
Not that I can find. I do not see anything in the Function App log stream. Where else should I look?
Expected/desired behavior
I would hope to make a successful call to the Function App. By "successful" I mean it would be authorized; the call would still fail since we're not sending the correct payload, but not with a 401 code.
Browser and version?
Firefox 91.2 on Linux
Versions
Your demo is using MSAL 2.13.1 (from the URL in index.html)
Our Function App is using dotnet 3.1 and azure-functions-core-tools-3
Mention any other details that might be useful
These are all the notes I made doing this work, showing the steps involved:
I am following the instructions at https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa#registration
Register the Funcion App API
The instructions above refer to https://docs.microsoft.com/azure/active-directory-b2c/tutorial-single-page-app-webapi?tabs=app-reg-ga#add-a-web-api-application and I follow those:
1.A - Create flow. I add a new flow using the "Sign up and sign in" option with the "Recommended" version. I call it B2C_1_signupsignin and select "Email signup" as the "Local accounts". Created with everything else as default.
1.B - API registration. I add a new registration called "acdev2fnpublic" and Register with default values (Web with no "Redirect URI").
Then I add a new scope via "Expose an API" using the default "Application ID URI" and then a scope with the name "demo.read". The final URI is https://quakewatch.onmicrosoft.com/f0bb7e03-0482-4af3-94bd-44630d1592e3/demo.read
Register the Client
Returning to https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa#register-the-client-app-javascript-spa I do the following:
2.A - Client registration. I add a new registration called "ms-identity-b2c-javascript-spa" using the "SPA" option and a redirect URI of "http://localhost:6420". Created with everything else as default.
2.B - Connect permissions. In the "ms-identity-b2c-javascript-spa" registration I select "API permissions", "Add a permission", "My APIs", "acdev2fnpublic", and finally "demo.read". I add this permission and grant admin consent.
Modify the Demo
This is described at https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa#configure-the-app-javascript-spa-to-use-your-app-registration
3.A authConfig.js. Change clientId to the "Application (client) ID" for "ms-identity-b2c-javascript-spa". The redirectUri is already correct.
3.B policies.js. I remove the editProfile references, change the signUpSignIn name to "B2C_1_signupsignin", the authority to "https://quakewatch.b2clogin.com/quakewatch.onmicrosoft.com/B2C_1_signupsignin" and the authorityDomain to "quakewatch.b2clogin.com"
3.C apiConfig.js. I change the b2cScopes to https://quakewatch.onmicrosoft.com/f0bb7e03-0482-4af3-94bd-44630d1592e3/demo.read and the webApi to "https://acdev2fnpublic.azurewebsites.net/api/negotiate" (this is our Function App).
Enable the Function App
NOTE - This part I could not find documented
4.A Authentication. In the Function App Portal page, select "Authentication" and add "Microsoft" as an "identity provider" selecting the existing "acdev2fnpublic" entry created above (step 1).
4.B CORS. Add "http://localhost:6420" to CORS.
With all this done I can now run "npm start" (assuming "npm install" earlier) and load http://localhost:6420. I can sign in (using an identity I registered earlier). But I see an HTTP 401 error when calling the demo code calls https://acdev2fnpublic.azurewebsites.net/api/negotiate