使用Azure B2C和MSAL.NET获得多个WebAPI访问令牌的AcquireTokenSilent

我们有一个Web应用程序，需要对多个Web API进行身份验证访问。我们正在使用Azure AD B2C进行身份验证。

我了解您不能在一个呼叫中同时包含两个资源的范围。

我了解MSAL的目的是使用从第一个资源令牌缓存的刷新令牌，为第二个资源请求访问令牌。

IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
var accounts = await cca.GetAccountsAsync();
AuthenticationResult result = await cca.AcquireTokenSilent(scopeForApi2, accounts.FirstOrDefault())

进行此调用时，调用不会失败，但是访问令牌为空。

在Azure B2C中，已注册Web应用程序和Webapi，并且已从Webapis授予Web应用程序对所有范围的权限和管理员同意。

使用Azure AD B2C和/或MSAL.NET是否支持？

我们成功获取了第一个资源api的第一个访问令牌：

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        // Generate the metadata address using the tenant and policy information
        MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

        // These are standard OpenID Connect parameters, with values pulled from web.config
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,

        // Specify the callbacks for each type of notifications
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            RedirectToIdentityProvider = OnRedirectToIdentityProvider,
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        },

        // Specify the claim type that specifies the Name property.
        TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "name",
            ValidateIssuer = false
        },

        // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
        Scope = $"openid profile offline_access {Globals.ReadTasksScopeApi1} {Globals.WriteTasksScopeApi1}"
    }
);

我们使用授权码获得第一个访问令牌-我们收到一个访问令牌并刷新令牌

IConfidentialClientApplication confidentialClient 
     = MsalAppBuilder.BuildConfidentialClientApplication(
        new ClaimsPrincipal(notification.AuthenticationTicket.Identity));

// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient
    .AcquireTokenByAuthorizationCode(Globals.Scopes_Api1, notification.Code)
    .ExecuteAsync();

我也尝试添加“ resource”查询参数，但似乎没有任何区别：

var scope = new string[] { Globals.ReadTasksScopeApi2 };


IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
var accounts = await cca.GetAccountsAsync();
AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault())
.WithExtraQueryParameters(new Dictionary<string, string>
{
   // { "resource", "https://myb2c.onmicrosoft.com/api2" },    // tried appid and guid
    { "resource", "0a6ab6b5-1b88-49fe-a6cf-19f1878d3508" }
})
.ExecuteAsync();

为什么使用Azure AD B2C在第二个资源上第二次调用AcquireTokenSilent时访问令牌为空？