microsoft-authentication-library-for-dotnet: MsalServiceException AADSTS50049 when targeting B2C

I just migrated our code to MSAL 2.2.0 and also changed to use the b2clogin.com domain instead of the login.microsoft.com domain we were using before.

I cannot seem to figure out how to construct the correct authority string. Here is what my code currently looks like:

private const string mTenant = "ideliverableb2c.onmicrosoft.com";
private const string mClientId = "d77e...caa6"; // Obfuscated here
private const string mSignInPolicyName = "B2C_1_si";

private PublicClientApplication mClientApplication =
    new PublicClientApplication(mClientId, authority: $"https://ideliverableb2c.b2clogin.com/tfp/{mTenant}/{mSignInPolicyName}")
    {
        RedirectUri = $"msal-{mClientId}://auth",
        ValidateAuthority = false
    };

I have tried various different ways to format the authority string, but no matter what I do I get the same exception when I call mClientApplication.AcquireTokenAsync():

Microsoft.Identity.Client.MsalServiceException: AADSTS50049: Unknown or invalid instance.

Response body:

{
    "error":"invalid_instance",
    "error_description":"AADSTS50049: Unknown or invalid instance.\r\nTrace ID: 6b61d006-7a2a-4b7e-b497-3cd6d9dc3800\r\nCorrelation ID: 78054f61-e0a9-4685-b761-64bc728ff90d\r\nTimestamp: 2018-10-09 19:28:23Z",
    "error_codes":[50049],
    "timestamp":"2018-10-09 19:28:23Z",
    "trace_id":"6b61d006-7a2a-4b7e-b497-3cd6d9dc3800",
    "correlation_id":"78054f61-e0a9-4685-b761-64bc728ff90d"
}

What am I doing wrong here?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 27 (4 by maintainers)

Most upvoted comments

It is also useful to specify that the Authority url should be like :

https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/v2.0/.well-known/openid-configuration

(never properly mentioned in any documentation)

WithAuthority now has an overload of sorts, WithB2CAuthority. While I was using a properly-formatted authority (https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/), I continued to get the error:

"B2C 'authority' Uri should have at least 3 segments in the path (i.e. https://<host>/tfp/<tenant>/<policy>/...)"

Thankfully, the sample here showed the overload. Once I started using it, I was able to get connected.

https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/v2.0/.well-known/openid-configuration This needs to be put in BIG, BOLD LETTERS on all the documentation and examples. It took me a day to find this. None of the old examples on GitHub work anymore with Azure B2C. It wasn’t until I used this new authority URL that I got my code, and the examples, to work.

@lybax actually no, the Authority URL should not have /v2.0/.well-known/openid-configuration It should be https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY

Do you think that we should make the following clearer: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#authority-for-a-b2c-tenant-and-policy ?

Fixed in MSALv2.5.0-preview

Works like a charm. Thank you!

@tmarkovski @fileman @mixxit Thanks for your patience while we sort this out. The issue is with the GetAccountsAsync() method, which is making a network call to the instance discovery endpoint. See this issue. If this method runs before the AT call, then you’ll get the eSTS exception you are seeing. We are working on a fix for this, as it impacts the cache, we need to coordinate with the other platforms before making changes, but this is high priority (as other customers have reported the need for GetAccountsAsync() to work offline) and we will hope to have a release out as soon as we can.

I will keep you posted on the progress. Thanks again for reporting and your patience. cc: @jmprieur