Azure Active Directory B2C: Build an ASP.NET Core MVC web API

Hello everyone,

The Azure Active Directory B2C documentation features a list of awesome quick-start guides for different scenarios:
Unfortunately, there are only guides for good old .NET – but none about .NET Core yet (at least not at the time of writing). If you search the internet for B2C and aspnetcore, you’ll find plenty of articles covering ASP.NET Core web apps (basically the equivalent to this guide: but only very little on ASP.NET Core web APIs.

I spent a lot of time in the past couple of days trying to find the right combination of libraries and settings to make the OAuth Bearer authentication against B2C work in an ASP.NET Core web API. To save you that effort, here are the equivalents to the classic ASP.NET web API quick start guide, Once you know what you have to do, it’s actually pretty straight-forward. 🙂

The only library you’ll need is the following:

    "Microsoft.AspNetCore.Authentication.JwtBearer": "1.0.0",

In your Startup.cs, add the following lines to your Configure function:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)

    app.UseJwtBearerAuthentication(new JwtBearerOptions()
        MetadataAddress = string.Format(AadInstance, Tenant, Policy),
        Audience = ClientId,


In my case, I only added my B2C SignIn policy and it worked like a charm. I hope this saved you a headache searching for the right way to set this up.

Helge Mahrt

Comments (5)

  1. Thanks for this – worked well for me – one question – what OAuth flow are you working with? I’ve tried to get Hybrid flow working but can only seem to get the id flow (OpenIdConnectResponseType.IdToken) – I don’t get a code token back from B2C (only an IdToken) when I try to use Hybrid flow (OpenIdConnectResponseType.CodeIdToken).

    1. Helge Mahrt says:

      I’m glad to hear that! 🙂
      Well, I’m working with a mobile client. As the API doesn’t have an UI itself, all I want it to do is to validate the access tokens against B2C, which is why I only added the SignIn policy.
      I haven’t implemented the mobile client yet. For now – for testing purposes – I created a simple tool to generate tokens using the Microsoft Authentication Library, which takes care of everything. (

  2. bill says:

    Thanks for your help.

    I guess the trick will be to add handlers for a web MVC that redirects to a login page and returning a 401 for native clients when authentication fails. Know anyone that’s done that?

    1. whnoel says:

      OK, there is a way to do this, but it became complicated. I just separated my MVC from my API into two different sites, and this solution worked like a charm. Do you know how (in Asp.Net Core) to access the incoming token in the MVC site so it can be sent along as a bearer token to the API site? I’ve got it all working except that. I’ve seen examples on BootstrapContext, but none of them actually work in Asp.Net Core as the BootstrapContext is always null (despite setting the SaveSigninToken flag).

      1. Helge Mahrt says:

        After setting SaveSignInToken to true, I was able to get to the token like this:

        (HttpContext.User.Identity as System.Security.Claims.ClaimsIdentity).BootstrapContext as string;

        Does this work for you?

Skip to main content