microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] Url for getting token from B2C is wrong, causes 404

Open arthuronoszko opened this issue 2 years ago • 2 comments
trafficstars

Library version used

4.56, 4.57

.NET version

.NET 6

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

Up until 4.56.0 we have been acquiring tokens by this method:

var app = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithB2CAuthority(authority)
            .Build();

var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
return result.AccessToken;

where authority is https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token.

When upgrading to 4.56.0, the error we are getting is 404 due to the url looking like this: https://login.microsoft.com/{TENANT_ID}/oauth2/v2.0/oauth2/v2.0/token

Are we using the wrong format of the authority or is this a bug? We are unsure whether we are using this correctly or not.

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Azure B2C Basic Policy

Regression

4.55.0

Solution and workarounds

No response

arthuronoszko avatar Oct 25 '23 07:10 arthuronoszko

What you have is a token endpoint. B2C authority should look like https://{your-tenant-name}.b2clogin.com/tfp/{your-tenant-ID}/{policyname} and AAD authority like https://login.microsoftonline.com/<tenant>/.

B2C authorities: https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/social-identities Azure AD authorities: https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority

We refactored that code. It may have worked because the user-provided authority was rebuilt from the segments and the ending was not used.

I think we can update the code to properly create an authority if token endpoint is passed in (probably preferred) or throw an exception for malformed authority.

pmaytak avatar Oct 26 '23 03:10 pmaytak

What you have is a token endpoint. B2C authority should look like https://{your-tenant-name}.b2clogin.com/tfp/{your-tenant-ID}/{policyname} and AAD authority like https://login.microsoftonline.com/<tenant>/.

B2C authorities: https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/social-identities Azure AD authorities: https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority

We refactored that code. It may have worked because the user-provided authority was rebuilt from the segments and the ending was not used.

I think we can update the code to properly create an authority if token endpoint is passed in (probably preferred) or throw an exception for malformed authority.

Thank you for your reply @pmaytak and sorry for my late reply!

Its good to know that we have been using it somewhat wrongly, and the solution we went with was instead to pass the TenantId instead of authority, is that the "right" approach do you think?

var app = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithTenantId(b2cTenantId)
            .Build();

var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
return result.AccessToken;

arthuronoszko avatar Nov 03 '23 14:11 arthuronoszko