microsoft-identity-web: [Bug] Starting release 1.11.0 authentication against Azure B2C using PKCE is broken.

Which version of Microsoft Identity Web are you using? Microsoft.Identity.Web 1.14.0

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app? The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

            services
                .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(options =>
                {
                    options.UsePkce = true;
                    options.ClientId = _configuration.GetValue<string>("B2C_CLIENT_ID");
                    options.Domain = $"{_configuration.GetValue<string>("B2C_TENANT_NAME")}.onmicrosoft.com";
                    options.Instance = $"https://{_configuration.GetValue<string>("B2C_TENANT_NAME")}.b2clogin.com";
                    options.TenantId = _configuration.GetValue<string>("B2C_TENANT_ID");
                    options.SignUpSignInPolicyId = "b2c_1_signup_signin";
                    options.ResetPasswordPolicyId = "b2c_1_passwordreset";
                    options.ResponseType = OpenIdConnectResponseType.Code;
                    options.Scope.Add(options.ClientId);
                });

Expected behavior Succesful authentication using Azure B2C PKCE capabilities

Actual behavior Up to Microsoft.Identity.Web version 1.10.0 authentication flow works fine. After upgrading to version 1.11.0 or later, B2C throws an exception.

Possible solution Add missing querystring fields to the call to B2C

Additional context / logs / screenshots Correct set of querystring parameters sent to B2C when using Microsoft.Identity.Web version 1.10.0: image

When using later versions of Microsoft.Identity.Web version, essential fields code_challenge and code_challange_method are no longer sent to B2C and authentication fails. image

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 20

Most upvoted comments

@tedvanderveen @edwin-traffk So I spent the time needed to investigate what happens.

Analysis

To come back to the original issue, PKCE will only be used, indeed, if

options.ResponseType = OpenIdConnectResponseType.Code; or options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

but this seems to provoke a token validation error in ASP.NET Core / Identity.Model. There were a lot of moving parts since 1.10, among which a strong validation (to avoid security issues).

Work around

To work around this issue, just enable token acquisition (even if you don’t use it). Add the last 2 lines in the code snippet belwo in your startup.cs method.

    services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration, "AzureAdB2C")
                    .EnableTokenAcquisitionToCallDownstreamApi()
                        .AddInMemoryTokenCaches()  ;

If you have questions about blasorwasm

If you have questions about blasorwasm, please ask them on the ASP.NET core repo, as Microsoft.AspNetCore.Components.WebAssembly is managed from there: https://github.com/aspnet/aspnetcore

If you want

+1
jmprieur on Jul 22, 2021

@jmprieur - apologies for delay on a repro - starting anew with clean .NET5 latest release (5.0.302sdk) was able to use .NET5 blazorwasm template with --auth B2C - adding a few scopes to the request (in program.cs) - and get id, refresh, access tokens using auth-code/pkce from the B2C endpoint configured as a SPA redirect with ‘public client’ and NO selection for ‘id token’ or ‘access token’ in the portal. @tedvanderveen (thanks again as well for the pointer w.r.t. portal config), no client secret required.

edwin@mcl-u1:~/working/dotnet/wasm-b2c-2$ dotnet --info .NET SDK (reflecting any global.json): Version: 5.0.302 Commit: c005824e35

Runtime Environment: OS Name: ubuntu OS Version: 20.04 OS Platform: Linux RID: ubuntu.20.04-x64 Base Path: /usr/share/dotnet/sdk/5.0.302/

Host (useful for support): Version: 5.0.8 Commit: 35964c9215

.NET SDKs installed: 3.0.103 [/usr/share/dotnet/sdk] 3.1.411 [/usr/share/dotnet/sdk] 5.0.302 [/usr/share/dotnet/sdk]

.NET runtimes installed: Microsoft.AspNetCore.App 3.0.3 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.17 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.8 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.0.3 [/usr/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.17 [/usr/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.8 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

image

+1
edwin-traffk on Jul 21, 2021
Read more comments on GitHub
← microsoft-identity-web: [Bug] signInManager.GetExternalLoginInfoAsync() always returns null
microsoft-identity-web: [Bug] "The issuer '(null)' is invalid" error when I request my API with bearer token →