question

RajeevSinghChib-2978 avatar image
0 Votes"
RajeevSinghChib-2978 asked alfredorevilla-msft commented

Unable to use AddSignIn Method of Microsoft.Identity.Web NuGet Package to acquire an AccessToken for Authorization Code Flow

We want to use MSAL for Authentication in our Web application with Web API using Authorization Code Flow.
I was using Sample from GitHub (https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C). But unfortunately it uses Implicit Code Flow by default.

Note: I disabled both Access Token and Id Token from Implicit Flow option for the application on the Azure Portal.

As I can see in request URL for Authorization EndPoint, the ResponseType was "code id_token". But we just want to use Authorization Code Flow everywhere. So It needs to be "code" only.
Then I found in this StackOverflow Article (https://stackoverflow.com/questions/61554550/azure-ad-b2c-error-aadb2c90057-when-i-am-not-trying-to-use-the-implicit-flow) someone faced the same problem, I commented this line of code in Github sample
//services.AddSignIn(Configuration, "AzureAdB2C");

And added block of code from update section in StackOverflow Article (https://stackoverflow.com/questions/61554550/azure-ad-b2c-error-aadb2c90057-when-i-am-not-trying-to-use-the-implicit-flow).

Then I now get the following error:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.
To fix it, I added "client id" scope to OpenIdConnectOptions according to this article (https://github.com/dotnet/aspnetcore/issues/23284#issuecomment-648775392)

Further, AcquireTokenByAuthorizationCode method was throwing a long exception with top line:

at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)

I changed "Instance" in appsetting from https://company.b2clogin.com to https://company.b2clogin.com/tfp/.

Now I am getting Id Token, but AccessToken is returned null by AcquireTokenByAuthorizationCode method.


Am I still missing some configuration OR its some bug in Microsoft.Identity.Web with Authorization Code Flow?

Is it fine to use AddAuthentication with options for AzureADB2C(MSAL) OR We should be using AddSignIn Method only?

azure-ad-b2cazure-ad-libraries
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RajeevSinghChib-2978 avatar image
0 Votes"
RajeevSinghChib-2978 answered

Hi Guys,

FYI I have removed ClientId scope from OpenIdConnectOptions and added read scope for some API into OpenIdConnectOptions.

It fixed the AccessToken null issue. Now I am getting both AccessToken and IdToken.

Does my changes looks fine?
Also I am getting both IdToken and AccessToken to be added into cache. Is that normal?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft edited

The current recommended way to setup the B2C middleware is this:

services.AddMicrosoftWebAppAuthentication(Configuration, "AzureAdB2C");

Please take a look to An ASP.NET Core Web app signing-in users with the Microsoft identity platform in Azure AD B2C and How to secure a Web API built with ASP.NET Core using the Azure AD B2C for more information.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RajeevSinghChib-2978 avatar image
0 Votes"
RajeevSinghChib-2978 answered alfredorevilla-msft commented

Hi Alfredo,

May be its my lack of knowledge. I want to use Authorization Code Flow, Not Implicit Code Flow.

I am trying to use your 4-2-B2C Sample (Link) in its original form just by changing appsettings. But this sample works only if I enable "Access Token" option under "Implicit Grant" section of Client App Registration Page.

Also I get following warning message there , If I enable "Access Token" Option:
This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs.

My questions are:
Is it mandatory to enable "Access Token" Option for Client App Registration? Even If we want to use Authorization Code Flow?
If not, What code changes do I need to make for your 4-2-B2C sample to work?

Also in authorize endpoint call, I saw responseType "Code IDToken". Is that fine with Authorization Code Flow?




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The referred sample does not use the implicit flow but authorization flow, that's why response_type is code (For implicit flow it would be id_token and/or token). There's no change required.


0 Votes 0 ·