b2c limitations
Microsoft.Identity.Web makes the experience of developing web apps and web APIs for Azure AD and Azure AD B2C very similar. There are, however, limitations of the Azure AD B2C service which Microsoft.Identity.Web cannot work around:
As explained in Request an access token in Azure Active Directory B2C,
Azure AD B2C does not support the On behalf of flow used in web APIs calling downwstream APIs. This means that Azure AD B2C Web Apis won't be able to call downstream web apis. Therefore, if you try to use ITokenAcquisition.GetTokenForUserAsync or IDownstreamApi.CallWebApiForUserAsync, you'll get the following exception
MSAL.NetCore.4.25.0.0.MsalServiceException:
ErrorCode: unsupported_grant_type
Microsoft.Identity.Client.MsalServiceException: AADB2C90086: The supplied grant_type [urn:ietf:params:oauth:grant-type:jwt-bearer] is not supported
The project webapi project template in .NET Core 5 (or webapi2 in Microsoft.Identity.Web.ProjectTemplates NuGet package) is aware of this limitation and does not propose code that would call a downstream API.
With Azure AD B2C, there is no incremental consent. The scopes need to all be requested when the user signs-in.
Azure AD B2C web apps could not call several web APIs without the users re-signing-in. This means that you'll need to handle the user challenge. See Managing incremental consent and conditional access~~
A recent change in B2C makes it possible to acquire tokens successively for different web APIs
In other words, with B2C, it's now possible to trade a refresh token for a new access token for a different resource as it is in AAD.
You can now use ITokenAcquisition.GetTokenForAppAsync or IDownstreamApi.CallWebApiForAppAsync in Azure AD B2C web apps
Azure AD B2C now supports the Client credentials flow used in daemon scenarios