MSAL does not return a token
Marren85 opened this issue · 6 comments
Hi, I've run the sample, exchanging my values into the settings.
Everything works fine, I can log in, see claims etc. my problem is I want to able to use the Graph API to add local accounts.
The only problem so far, that I've been banging my head against a wall with for the last 48 hours is I CANNOT get a token with MSAL.
Every single time it returns null, not an error btw and there is a value for the IdToken on line 95 of OpenIdConnectOptionsSetup.cs
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
Whilst I am new to Azure, this makes no sense. I've tried varying scopes as I'm not 100% on those either and no combination gets me anywhere! I suspect it's with the setup.
I've created my B2C tenant, added the app with the reply url, created and added my secret and created my policys and updated VS with these and it does work like I said I can log in and access everything...
Any help would be greatly appreciated as the documentation for an Azure product is amazingly poor. Most guides use Azure AD not B2C and most assume you've been using this for years...
Did you create a web api application, publish the same scopes, and update the app uri in the settings? (See step 4 in the Readme)
@Marren85 I get the same thing. result.AccessToken is null after the AcquireTokenByAuthorizationCodeAsync call. If I swap my appsettings back to the ones in the sample that call returns an access code. Did you find a solution or what was wrong with the B2C config?
@4deeptech can you confirm that you did the following:
- Register your web api and define scopes for it
- In your web app's registration, indicate that you want to consume those scopes.
- Change your web app's OpenID Connect middleware:
i. Response type of "id_token code"
ii. Scope of "openid {your-web-api-scopes}" - Finally, you'll use MSAL in the OnAuthorizationCodeReceived event to redeem the code for an access token.
See this article for more details: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-access-tokens
@parakhj Here's the setup. Have two app registrations. This web app (this repo) is one of them, then I have a Web API as the second one. I created published scopes for the Web API and in the Web app I added (in the API Access area of the portal) both the Web App and the Web API apps as permitted scopes. So I did item 1 and item 2 that you mention. As for Item 3, since my web app is the code from this repo, lines 43-58 in OpenIdConnectOptionsSetup.cs are already doing that. As for item 4, again, this repo has that wired up. Basically, if I merely swap out the app settings I get different behavior so the difference has to be in the B2C configuration. The OnAuthorizationCodeReceived callback occurs and it calls AcquireTokenByAuthorizationCodeAsync but the response only contains a new token id value with all the same claim info as the oriignal token id passed in except that it contains a nonce value instead of "defaultNonce" so the call appears to be doing something. It just IS NOT returning a value for AccessToken. Just FYI, if I use the id_token JWT and pass that as the Bearer token(since the Access Token is null) to the web api, the web api validates it and gives me access and returns the sample response. I don't understand why passing the 'code' to AcquireTokenByAuthorizationCodeAsync does not return an AccessToken but does return a new id_token with the nonce value set.
@parakhj @Marren85 I figured out the issue after fiddling for quite a while. The solution was actually very simple. The API Scope you request is NOT the published scope name, its the published scope VALUE. If the name is demo.read and the value is 'READ' then you request [APP ID URI]/READ and NOT [APP ID URI]/demo.read
@4deeptech sorry about that. We are working to improve the documentation/UI.