microsoft-identity-web: B2C password reset fails for confidential client not configured to support implicit flow
Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. Microsoft Identity Web 1.2.0
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app? App under development
Repro
- Configure an application in B2C which does not support implicit flow
- Use
dotnet new webapp --auth IndividualB2C
to scaffold app, updating package references to 1.2.0 - Configure with B2C application defined above (clientId and secret)
- include
<a href="/MicrosoftIdentity/Account/signin/OpenIdConnect">Sign In</a>
inindex.html
- Set logging at
Debug
level - Run app and click link
- Click `Forgot Your Password?
Expected behavior The B2C Reset Password screen
Actual behavior
Debug output reporting error: 'unauthorized_client', error_description: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
Possible solution
-
The problem is that the
authorize
call to the password reset policy includesid_token
inResponseType
, whereas the signupsignin policy does not. -
Enabling implicit flow does provide a workaround, but this is undesirable given that that the implicit flow is disappearing.
Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21
@jmprieur No need to reopen.
@jennyf19 proposing to fix this one. In the OnRedirectToIdentityProvider callback we should change the test to use code when the IssuerAddress.Contains(microsoftIdentityOptions.ResetPasswordPolicyId)
@jmprieur, @jennyf19 It does work just providing
code
. This is what I didI turned off Implicit Flow in AD B2C for this client
This is the call as per the developer tools network tab:
I was able to change the password.