microsoft-authentication-library-for-dotnet: [Bug] Uno - Exchange authorization code for bearer token blocked by CORS in browser
Which Version of MSAL are you using ? 4.14
Platform WebAssembly
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- [ X ] Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
Is this a new or existing app? This is a new app or experiment
Expected behavior Successfully exchange authorization code for bearer token
Actual behavior Exchange blocked by CORS
Additional context/ Logs / Screenshots
I’m using the Uno platform to write an Azure B2C authenticated multi-platform app using auth code flow via PublicClientApplication
. While most of the heads (i.e. Android, UWP, etc) work fine using this approach, I’m hitting an issue with the web assembly (WASM) head.
In the WASM project I’m able to show the sign-in page and successfully sign-in, but then hit a CORS error (“Access to fetch at ‘https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/token’ from origin ‘http://localhost:5000’ has been blocked by CORS policy”) when the PublicClientApplication endeavours to swap the authorization code for an access token.
Now given the WASM head is effectively a Single-Page Application, I tried following the instructions for Migrat[ing] a JavaScript single-page app from implicit grant to auth code flow. I added a new Application to my Azure B2C tenant and configured the “Single-page application” platform such that I now see the “Your Redirect URI is eligible for the Authorization Code Flow with PKCE.” notice in the “Grant types” section. It is my understanding that this configuration enables CORS but, even after these changes, I still hit exactly the same CORS issue within my application.
Capturing the session during login reveals that, as per the CORS protocol, the browser is making an OPTIONS request to the token endpoint which is responding with a 404 thereby preventing the POST to the token endpoint for authorization code exchange.
Here’s the session (with the Azure B2C Tenant replaced with ‘{TENANT}’, tokens replaced with ‘{TOKEN}’ and state replaced with ‘{STATE}’):
Method | Url | Result |
---|---|---|
GET | https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/authorize?scope=https%3A%2F%2F{TENANT}.onmicrosoft.com%2Fbackends%2Fread.only+offline_access+openid+profile&response_type=code&client_id=32bfdaf8-cc9f-4011-942d-851911aef544&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fauthentication%2Flogin-callback.htm&client-request-id=293915f0-a719-46a8-8003-bba230c4a49c&x-client-SKU=MSAL.UnoWasm&x-client-Ver=4.4.0.0&x-client-OS=web&prompt=select_account&code_challenge=mTjqNj7n3fMaon2_7HrIzpfGhwLPIwqrpMRCBt47-I4&code_challenge_method=S256&state={STATE} | 200 OK |
POST | https://{TENANT}.b2clogin.com/{TENANT}.onmicrosoft.com/B2C_1_signupandsignin/SelfAsserted?tx=StateProperties={STATE}&p=B2C_1_signupandsignin | 200 OK |
GET | https://{TENANT}.b2clogin.com/{TENANT}.onmicrosoft.com/B2C_1_signupandsignin/api/CombinedSigninAndSignup/confirmed?csrf_token={TOKEN}&tx=StateProperties={STATE}&p=B2C_1_signupandsignin&diags=%7B%22pageViewId%22%3A%228a316cef-e06e-42c2-97a8-9dc9cfcd5d5a%22%2C%22pageId%22%3A%22CombinedSigninAndSignup%22%2C%22trace%22%3A%5B%7B%22ac%22%3A%22T005%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T021%20-%20URL%3Ahttps%3A%2F%2F{TENANT}.b2clogin.com%2Fstatic%2Ftenant%2Ftemplates%2FAzureBlue%2Funified.cshtml%3Fslice%3D001-000%26dc%3DDB3%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A55%7D%2C%7B%22ac%22%3A%22T029%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A13%7D%2C%7B%22ac%22%3A%22T004%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A3%7D%2C%7B%22ac%22%3A%22T019%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A25%7D%2C%7B%22ac%22%3A%22T003%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A52%7D%2C%7B%22ac%22%3A%22T002%22%2C%22acST%22%3A0%2C%22acD%22%3A0%7D%5D%7D | 302 Found |
GET | http://localhost:5000/authentication/login-callback.htm?state={STATE}&code={TOKEN} | 200 OK |
OPTIONS | https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/token | 404 Not Found |
I believe this is likely to be an issue with the Azure B2C service (and I will report an issue to them as soon as I can find an appropriate forum) but was wondering if the above flow looks correct to you?
Thanks, Ian
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 29 (9 by maintainers)
Just had an update from the Azure AD B2C team: A fix for this issue will be deployed on the 21st August.
Fingers crossed it correctly implements the CORS protocol. I’ll test as soon as the fix has been deployed and update this issue accordingly.
@EdBlacker, the Azure AD B2C team deployed a fix for this issue on Friday. I ran some preliminary tests and it seems to work.
@bgavrilMS, unless @EdBlacker encounters further problems, I believe this issue can be closed now. Thanks for keeping it active while the issue was addressed.
Hi @bgavrilMS, I understand your sentiment here: This is very much an issue with Azure AD B2C not with the MSAL.net library.
Blocked sounds like an apprioriate status but if you would prefer to close this for reasons of getting it off the project board, that would be understandable.
If you do decide to leave this issue open, I will be sure to update it when I receive further information from the Azure AD B2C team.
Either way, totally your call.
@bgavrilMS There’s is no fork of MSAL on Uno. We’re simply pushing a custom implementations of
ICustomWebUi
andIMsalHttpClientFactory
.Uno is using the unforked version of MSAL dotnet (not MSAL.js) running using .NETStandard 1.3 on mono-wasm in a browser.
Sorry @bgavrilMS , I’ve looked but can’t find any form of link for the support request in the Azure “Help + Support” blade so don’t think I’m able to share a link.
If you know how, let me know and I’ll try to provide one.
Update to my previous comment: I confirm it works by using the
netstandard1.3
version of MSAL.NET. I implemented bothICustomWebUi
andIMsalHttpClientFactory
and I succeed to useMicrosoft.Identity.Client
package (minor a problem withref
assemblies caused by the Uno Bootstrapper).It think it’s a viable solution better than the fork. I’ll continue to investigate it.