graphql-platform icon indicating copy to clipboard operation
graphql-platform copied to clipboard

Published 20 hours ago verified publisher icon ChilliCream

HC 12.16 #/oauth includes fragment which is not an allowable redirect uri for Azure AD B2C

Open eginwong opened this issue 2 years ago • 10 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

The effect: the access token is not able to be fetched from BCP because the redirect uri is not in the allowable list of uris as configured by Azure AD B2C.

We are using Azure AD B2C and it does not allow having the # symbol in the allowed redirect uris, specifically when the signinaudience is AzureADandPersonalMicrosoftAccount for the oauth2 implicit flow.

And if we can't put the #/oauth uri in the allowed redirect uri list, Azure AD will not allow BCP to receive the token.

Image of the Azure AD B2C error

Affects HC 12.16, but not 12.15.* due to new major version of BCP.

Steps to reproduce

  1. Boot up a C# project running 12.16 of HotChocolate.
  2. Navigate to the graphql endpoint and try to authenticate by clicking the gear icon.
  3. Under authentication, select OAuth2 -> Implicit.
  4. Note that the Redirect URL is hardcoded and not allowed to be changed.

Using Azure AD B2C App Registration, the redirect uri cannot contain a fragment uri if the signinaudience value is AzureADandPersonalMicrosoftAccount. If it is AzureADMyOrg, then the fragment uri is acceptable.

Allowed settings for signinaudience: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount

Relevant log output

No response

Additional Context?

As per discussion in #announcements on Jan 6, 2023.

Product

Hot Chocolate

Version

12.16.*

eginwong avatar Jan 06 '23 14:01 eginwong

This affects Authorization Code flow as well due to redirectUrl being the same

Is there any way to config the redirect?

zyofeng avatar Feb 20 '23 22:02 zyofeng

we plan to also allow /graphql/oauth which would help. But the redirect urls must be on the same endpoint. otherwise BCP cannot capture it. At the moment we use the # routing because it is the most flexible.

PascalSenn avatar Feb 20 '23 22:02 PascalSenn

Is there an interim solution while we wait for the change? Any ETA?

zyofeng avatar Feb 21 '23 00:02 zyofeng

Hmm yeah I was wondering why this suddenly stopped working.

@PascalSenn This does not feel like an enhancement, it's a regression.

onionhammer avatar Mar 06 '23 21:03 onionhammer

@onionhammer One thing that I don't quite understand is how this worked for you previously on the web. I mean, we opened up a popup for authroization, then we redirected you to the IDP. After the redirection, the reference to the window should have lost control because of a change in origin. This is a standard security measure implemented by browsers. I am confused as to how you were able to observe the window of another origin.

PascalSenn avatar Mar 07 '23 01:03 PascalSenn

@PascalSenn I'm not sure exactly what you're asking.. Not sure where the Banana Cake Pop source is (if it's open source), but I assume at some point the "#/oauth" was added to the redirect URL for OAuth, and in the B2C settings if you leave the authorized redirect URLs as "youraddress/graphl/" without the "#/oauth", the 'fetching' will just spin forever after you successfully log in, never actually retrieving the bearer token from the auth window.

Adding "#/oauth" as an authorized redirect URL is not permitted in B2C.

What we used to do is open BCP at localhost/graphql/, and the redirect url used to just be localhost/graphql/, which worked just fine with B2C, then at version 12.16+, BCP's expected redirect url was changed to localhost/graphql/#/oauth and that broke things.

onionhammer avatar Mar 07 '23 01:03 onionhammer

Was hoping that the desktop version didnt have this issue, but it looks like there's no redirect path at all? is there a workaround for this other than using postman?

onionhammer avatar Mar 17 '23 19:03 onionhammer

@onionhammer See this

What we used to do is open BCP at localhost/graphql/, and the redirect url used to just be localhost/graphql/, which worked just fine with B2C, then at version 12.16+, BCP's expected redirect url was changed to localhost/graphql/#/oauth and that broke things.

surpises me. This must be a special case for the local host origin. After using  window.open , the reference to window.href should no longer be accessible.

Was hoping that the desktop version didnt have this issue, but it looks like there's no redirect path at all? is there a workaround for this other than using postman?

The redirect URL is not specified in the desktop app because there we have more options. In other words, you can pick any redirect URL and it will work.


We are currently testing a fix for the web version. If everything goes well, it will be available in the next BCP version next week.

PascalSenn avatar Mar 17 '23 23:03 PascalSenn

Is there any update on this issue? I assume not everything went well and the release is delayed but not being able to work with BCP when using Azure AD is a shame, the OAuth integration was great and sets BCP apart from other Playgrounds.

bartdebever avatar Apr 12 '23 12:04 bartdebever

I'm also having problems with OAUTH2 and the Implicit mode using Microsoft Entra External ID (sucessor to B2C). On trying to fetch a token, a new BCP window opens, which has the access_token stuck in the URL, like https://localhost:7029/graphql/#access_token=eyJ0eXAiOiJKV1Q....... If inspected with https://jwt.ms te token is valid and it is also accepted by my backend. Still, the functionality seems not working, as I would expect that I woud NOT need to manually copy the token from the URL, switch to Bearer auth mode and paste the token there....

mdddev avatar Mar 22 '24 09:03 mdddev