I want to secure my backend API (REST+GraphQL) with Entra External ID (successor to B2C). Now, I cannot make Banana Cakepop work with active authn/authz. I have looked at this video for guidance and edited the steps for my Entra External ID scenario. But after clicking Fetch token a new Banana Cakepop windows popus up with the following message amended in the URL:
AADSTS40008 There was an unexpected error from the external identity provider. I have checked the sign-in logs in Entra External ID, but have found nothing helpful.
In Banana Cakepop, the connection settings is configured as such:
Grant type Authorization Code
Authorization URL: https://TENANTNAME.ciamlogin.com/TENANTID/oauth2/v2.0/authorize
Access Token URL: https://TENANTNAME.ciamlogin.com/TENANTID/oauth2/v2.0/token
Client ID: GUID_OF_THE_BANANA_CAKEPOP_APP_REGISTRATION. Made a new app registration for the Banana Cakepop Client.
Client Secret: any
Use PKCE: true
Scope: api://GUID_OF_API_APP_REGISTRATION/access_as_user
Redirect URL: https://localhost:7029/graphql/#/oauth added in the app registration for the Banana Cakepop client application (GUID_OF_THE_BANANA_CAKEPOP_APP_REGISTRATION)
The scope is api://GUID_OF_API_APP_REGISTRATION/access_as_user. In the app registration, under Expose an API, I have added GUID_OF_THE_BANANA_CAKEPOP_APP_REGISTRATION under Authorized client applications, selecting the above scope
All else: left blank or default
Does anyone know what I need to do, to make it work? Any insights are feedback is/are greatly appreciated.