microsoft-identity-web: B2C password reset fails for confidential client not configured to support implicit flow

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. Microsoft Identity Web 1.2.0

Where is the issue?

Web app
- Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
Other (please describe)

Is this a new or an existing app? App under development

Repro

Configure an application in B2C which does not support implicit flow
Use dotnet new webapp --auth IndividualB2C to scaffold app, updating package references to 1.2.0
Configure with B2C application defined above (clientId and secret)
include <a href="/MicrosoftIdentity/Account/signin/OpenIdConnect">Sign In</a> in index.html
Set logging at Debug level
Run app and click link
Click `Forgot Your Password?

Expected behavior The B2C Reset Password screen

Actual behavior Debug output reporting error: 'unauthorized_client', error_description: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.

Possible solution

The problem is that the authorize call to the password reset policy includes id_token in ResponseType, whereas the signupsignin policy does not.
Enabling implicit flow does provide a workaround, but this is undesirable given that that the implicit flow is disappearing.

Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 21

Most upvoted comments

@jmprieur No need to reopen.

rollandjb on Dec 1, 2020

@jennyf19 proposing to fix this one. In the OnRedirectToIdentityProvider callback we should change the test to use code when the IssuerAddress.Contains(microsoftIdentityOptions.ResetPasswordPolicyId)

jmprieur on Nov 12, 2020

@jmprieur, @jennyf19 It does work just providing code. This is what I did

I added the following in startup

            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => {

                var parentHandler = options.Events.OnRedirectToIdentityProvider;
                options.Events.OnRedirectToIdentityProvider = async (context) => {
                    Console.WriteLine("==> OnRedirectToIdentityProvider <==");

                    await parentHandler(context);

                    if (context.ProtocolMessage.IssuerAddress.Contains("PasswordReset", StringComparison.OrdinalIgnoreCase)) {
                        context.ProtocolMessage.ResponseType = "code";
                    }
                };
            });

I turned off Implicit Flow in AD B2C for this client
This is the call as per the developer tools network tab:

Query String Parameters
    ...
    response_type: code
    ...

I was able to change the password.

rollandjb on Nov 11, 2020