Note on B2C usage with msal js

Question

Note on B2C usage with msal js

Closed this issue 4 years ago · 6 comments

msal js supports B2C flows for acquireTokenSilent but with certain conditions due to the manner in which B2C policies can manifest certain UI patterns.
An interaction is mandated for any initial login and once a session is established and a token can be acquired silently, the use case is straight forward and supported.
Some policies like edit-profile by default would need interaction and calling acquireTokenSilent which renders a hidden iframe is blocked by the B2C service with x-frame-options set to deny

We did some testing with our sample and have generated the below table:

Policy	Status with Sample	acquireTokenSilent
SignupSignIn (SUSI) - V2	works as expected	Supported
Password Reset - V2	X-frame-options deny	Not supported
SignIn - V2	works as expected	Supported
Profile Edit	X-frame-options deny	Not supported
SignUp - V2	works as expected for interactive calls	Not supported

It is possible that some IDPs are being called for silent calls where interaction is needed and B2C service is blocking the frame. We are investigating to improve this experience and throw proper errors for now but the above table can be used as a reference as we stabilize B2C experience in our samples for all policies.

Answer 1 · 2020-02-14T17:56:14.000Z

@sameerag is this in the wiki somewhere? would be useful to have there and maybe more discoverable.

Answer 2 · 2020-02-14T17:58:17.000Z

I am working on making it official, we have some gaps to document. This will be in the wiki soon. The pinning of an issue is a temp alternative.

Answer 3 · 2020-05-22T05:21:10.000Z

#Azure-Samples/active-directory-b2c-javascript-nodejs-webapi#20

Answer 4 · 2020-09-28T07:32:19.000Z

It is mentioned here that SUSI V2 supports silent token acquisition.
However, on creating a user flow (Recommended - SUSI, which I presume is V2) I am unable to silently get a token across all IdPs. in fact, only for a handful of IdPs I was able to achieve the token silently. Anything that I am missing?

Answer 5 · 2021-03-27T20:35:53.000Z

I've built a B2C custom policy using the starter pack and the instructions for multi-tenant AAD support. The policy works fine when I use it in my SPA application. However, when I want to navigate to another application from the same tenant in the same tab I'm always redirected to the B2C login page (I use the ssoSilent method to get the user session, and the the loginRedirect method if the session doesn't exist).

I've checked in the browser, and I can see the B2C SSO cookie: x-ms-cpim-sso:<my_tenant>. But it is not picked up by my App.

In my policy the Relaying Party has the SSO scope set to Tenant, as well as a Session Management Provider for the JWT Issuer to use the OAuthSSOSessionProvider.

Is there something more that I need to add in the policy for SSO to work?

The error I get from ssoSilent -> BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout.

NOTE: When I use a default SignIn policy (single AD tenant as the OpenID Connect Provider) than this use case works.

Answer 6 · 2021-04-30T22:59:35.000Z

Closing this as this sample is being archived. Please see the new sample and/or raise any issues you have at MSAL.js repo.