microsoft-identity-web: [Bug] AADB2C90088: The provided grant has not been issued for this endpoint after Reset Password

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version.

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe) User is send to MicrosoftIdentity/Account/Error after resetting password.

Is this a new or an existing app?

This is a new app. I reproduced the error in a clean slate web app.

Repro Included clean slate web app that is exhibiting the behavior. TestApplication.zip

Expected behavior Once user has reset their password, they should be redirected to login screen to log in with the new password.

Actual behavior user is redirected to the MicrosoftIdentity/Account/Error page on the app which results in a 404 error. An exception is logged stating

MSAL.NetCore.4.21.1.0.MsalUiRequiredException: 
	ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SA_SignupSignin and Expected Value : B2C_1_SA_ResetPassword

These are the packages I am referencing


    <PackageReference Include="Microsoft.Identity.Web" Version="1.2.0" />
    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.2.0" />

Possible solution

Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 19

Most upvoted comments

@jennyf19 I do occasionally use Microsoft.Graph “downstream” hence the client secret in the AzureAdB2C section. To avoid triggering the default behaviour I have now moved the secret to a separate section of appsettings.json.

Thank you for your support in getting to the bottom of this one!

+1
xavier-90 on Dec 16, 2020

@jennyf19 I can reproduce this & have sent you an email with further details.

+1
xavier-90 on Dec 12, 2020

@quisitive-crogers oh, interesting. I’ll check w/our B2C team as well. I wasn’t aware of changes made there. Thanks for noticing that, you’re right, that could be the issue. I’ll check back tomorrow w/you.

+1
jennyf19 on Oct 30, 2020

@jennyf19 yup. I can confirm that the problem occurs when using that template.

+1
quisitive-crogers on Oct 29, 2020

@jennyf19 Yes, that much works. The problem appears when I add the DownstreamAPI pieces as shown.


            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAdB2C"))
                .EnableTokenAcquisitionToCallDownstreamApi(new string[] { "https://randomtenant.onmicrosoft.com/myapp-uat/access" })
                .AddInMemoryTokenCaches();

I pulled down this repo and referenced it directly and can confirm that this is being thrown by the code here, not by the userflow.

+1
quisitive-crogers on Oct 29, 2020

@quisitive-crogers thanks for the additional info, like i said i wasn’t able to repro it, but will look into this more. Seems related to this issue but we’ve since fixed it. I’ll take a look. thanks again.

+1
jennyf19 on Oct 29, 2020
Read more comments on GitHub
← microsoft-identity-web: [Bug] : NullReferenceException when acquiring a token for a user in a server-side Blazor app.
microsoft-identity-web: [Bug] Adding Redis as Distributed Cache Triggers NullReferenceException →