microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

B2C UserFlow with Custom Policy

Open johnwc opened this issue 1 year ago • 5 comments

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.12.4

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

We initially setup B2C using UserFlows, but we needed to extend the functionality of the login so we are building out custom policies. We are finding that we are unable to configure a web api to use more than one policy name. So, we are unable to test any custom policy with a web api that is configured for a UserFlow policy. The keys used for UserFlow are different from the policy keys we created in Identity Experience Framework. How do we tell the identity framework to use multiple policy names, so it caches all the keys and not just UserFlow keys?

Reproduction steps

  1. Create B2C directory
  2. Configure front end web app and backend api to use UserFlow policy.
  3. Try to login to web app using Identity Experience Framework custom policy.
  4. All api calls fail with the following exception.

Error message

Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 6.30.0.0. Date 09/07/2023 19:30:30. PII logging is ON, do not use in production. See https://aka.ms/IdentityModel/PII for details.
      IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'X5eXk4xy....dO6QGTVBwaNk', InternalId: 'X5eXk4xy....dO6QGTVBwaNk'. , KeyId: X5eXk4xy,....dO6QGTVBwaNk
      '. Number of keys in TokenValidationParameters: '1'.
Number of keys in Configuration: '0'.
Exceptions caught:
 ''.
token: '{"alg":"RS256","kid":"wN4rkbH5ixzKr...i55HKCpXg","typ":"JWT"}.{"oid":"939cc1....../v2.0/","nbf":1694111320}'. See https://aka.ms/IDX10503 for details.

Id Web logs

No response

Relevant code snippets

...

Regression

No response

Expected behavior

To be able to tell api it can authenticate against different policies with different keys.

johnwc avatar Sep 07 '23 19:09 johnwc

@johnwc : Did you try to set the "Authority" directly including the policy?

jmprieur avatar Oct 04 '23 00:10 jmprieur

@jmprieur it's not the authority, this is the keys used to sign the token is different between the two policies.

johnwc avatar Oct 04 '23 17:10 johnwc

@johnwc the authority is also different (by the very design of B2C)

jmprieur avatar Oct 05 '23 01:10 jmprieur

I called out specifically that the signatures are falling to validate from the keys being different.

johnwc avatar Oct 05 '23 02:10 johnwc

If you are using both, UserFlows and CustomPolicies, you will have to provide your own TokenValidator since - as you said - the signing keys differ

michiproep avatar Dec 05 '23 16:12 michiproep