In regard to OpenID Connect and the MSAL library, what should the correct behaviour be if you request incorrect scopes, i.e. incorrectly spelt, or non-existent scopes?
We're testing this with Azure AD B2C and a React website using MSAL and when we try to acquire the token we simply get an empty result. Is this the correct behaviour or should we get an error?
In case an invalid scope is requested an Azure AD B2C error (such as AADB2C90117 or AADB2C90205) should be thrown. Sometimes immediately after hitting the authorize endpoint while others after credentials have been submited.
Ensure logging and error handling are properly set up.
Related
The goal is to have an application, running on the user's computer authenticated as either themselves or a service principal, that can perform Azure resource management operations and Key Vault secret (data plane) operations.
So far, the resource operations are working fine with the management.azure.com audience, but the Key Vault data operations naturally fail with an error
Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com
I've pored over the docs but it's not entirely clear to me if it's possible to have a single token for both audiences? Here, e.g., it suggests you can simply request multiple scopes, but other sources seem to say they must be for the same resource?
Several of MSAL's token acquisition methods require a scopes parameter. The scopes parameter is a list of strings that declare the desired permissions and the resources requested.
A single token would vastly simplify the application, similar to how ADAL used to work.
You cannot acquire one token for multiple audiences in AAD. This is not supported for token acquisition and also not by the actual services. This is not a MSAL limitation, ADAL cannot do this either. ADAL might request/store multiple tokens internally. You need to manage multiple tokens in this case.
Everything documented by Venkatesan is correct, just giving it a bit more context as an explanation.
See also https://github.com/MicrosoftDocs/azure-docs/issues/82875
I tried to reproduce in my environment and got below results:
Invalid audience. Expected
https://vault.azure.net , found: https://management.azure.com
The above error refers that audience of your token to call Azure Keyvault REST API you need to call the audience with https://vault.azure.net
I tried with postman to get token in my environment, ensure you have Registered AD application and keyvault with right process.
Before that check your Azure Keyvault policy and secrets to ensure that no Authorized application is chosen, and use a service principle rather than an application to access the secret.
When I tried with scope https://management.azure.com in postman and got access token.
Then I copied the token to call the REST API to set secret.I got similar error.
When I tried with scope https://vault.azure.net I got an output sucessfully.
Then I copied the token and called API & set secret, it will work fine.
When I decoded token i'm getting aud with jwt.ms
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Issue statement:
The session should be present in Azure b2c as the session timeout is configured as 86400 seconds(1 day) in the custom policy “error=interaction_required&error_description=AADB2C90077%3a+User+does+not+have+an+existing+session+and+request+prompt+parameter+has+a+value+of+%27None%27.”
meaning user should be able to authenticate without prompting for interactions but it is not.
On the fiddler trace, there is no error returned
Please check with the following points:
Please check if tenant Id value is correctly given without a mistake
and check if correct scopes are given. If it is to call a web api
make sure to provide complete scope this way:
https://{tenantname or id}.onmicrosoft.com/api/read
Please check if you are trying to call microsof t graph api with
scope for it. see AADB2C90077 - Stack
Overflow which says graph api cant be accessed by b2c /local
only users ,as graph API is accessible for standard Azure AD users
or applications.
It may also be due to session expiry.So after setting the expiry
or token life time also try changing lifetimes access token ,
refresh token .Try to reauthenticate / let the user login as it
initially tries to get cached token.
Try to get a token non interactive way try silent calls with
acquireTokenSilent.
this.application
.acquireTokenSilent('https://{tenant}.onmicrosoft.com/api/read')
msal-js nteractive request-prompt-behavior
As a part of workaround try to turn on the block-third party cookies
for the browser to make sure not to block third-party cookies and
check again.Disable later if not required.
References:
prerequisites to use MS Graph API, and interact with resources in your Azure AD B2C tenant
SO reference
I've set up Azure B2C for my application. It has both a backend, and a SPA style frontend, and am looking to use both for some of the auth work I have to do. This means that I need to enable both of them to suit my workflow.
But the issue with this is that, on web apps the redirect URIs (shown below) are sent as https://localhost.com/account#id_token=xxxxxx when I expect them to be https://localhost.com/account?code=xxxxxx for webapps!
B2C differentiates b/w WebApps (server tech) and SPA apps (as shown below), so I expect B2C to serve the appropriate token types (the # type for SPA, and the ? query type for webapp). Instead, I get the #id_token=xxxx for the webapp when Access Tokens is enabled in the Implicit Grant options above. Why is this the case?
I currently got around the issue by disabling Access Tokens in the Implicit Grant. What am I misunderstanding here?
I've looked at this, but doesn't answer my question as to why B2C is using the wrong token type.
When you use “run now”, we detect if implicit flow is enabled and use it by default. It’s useful since you can then see the token straight away.
When you use your app code, the response_type will be we to code, so it will respond with the auth code. Or otherwise disable implicit flow on the App Registration if you want to test your apps reply url with auth code as the response mode. Or just edit the Run Now url manually.
I'm trying to execute a REST API call in SharePoint Online. For this, I wanted to see if I can register an app in Azure AD. I believe I was able to do so and I'm able to get back a token. However, upon executing the GET request Postman always throws {"error_description":"Invalid issuer or signature."}in the body of the response.
Here're the screenshots detailing everything:
Don't mind the Postman variable {{TenantID}}. That's not the issue, I also tried with the writte-out tenant ID - doesn't make a difference.
So what I was unsure about at first was the 'Scope' parameter in the "GET NEW ACCESS TOKEN" in Postman. I tried various scopes, for example
'Sites.FullControl.All' or 'https://microsoft.sharepoint-df.com/.default'. But that didn't change the outcome. Still, is the scope I set correct for SharePoint REST API? I know that for the Microsoft Graph 'https://graph.microsoft.com/.default' works.
I also tried different app permissions, not just
'Sites.FullControl.All'
Do you have any idea what the cause of the error might be?
Thanks.
The sharepoint permission Sites.FullControl.All is of type Application.
For this type of permission you MUST use the client_credential flow.
The Client Credentials grant is used when applications request an
access token to access their own resources, not on behalf of a user.
Try to call the auth url with:
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
Otherwise if you want to access the Sharepoint on behalf of the user change the permission type to delegated
I made a custom policy for Azure B2C, added jwt.ms as a reply URL and everything seems to be working fine. When I log in, I get redirected to jwt.ms showing the token and it's contents. However when I try to link my angular frontend to this custom policy, it does not seem to work. In need the response type id_token token, but when I use this response type I get the error "This application does not have sufficient permissions against this web resource to perform the operation."
When I use the response type id_token it seems to work fine and I get a reply with the JWT token.
I thought the problem might be in the Implicit grant settings under applications, so I have tried enabling Access tokens and ID tokens for all applications but this did not help.
Implicit grant settings
The request looks as follows:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&response_type=id_token%20token
&scope=openid%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fapi%2Fuser_impersonation
&nonce={nonce}
&state={state}
So if you replace the characters it looks like this:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http://localhost:4200/&response_type=id_token token
&scope=openid https://{tenant}.onmicrosoft.com/api/user_impersonation
&nonce={nonce}
&state={state}
I expect the login flow to return both the JWT ID token and an access token.
Edit:
I created a whole new B2C tenant with a standard Signupsignin user flow and I still experience the same issues. So I concluded that it is not a custom policy issue, but an issue caused by a configuration in Azure or the front-end application.
After a lot of experiment I come to know about your problem. I guess you are not trying in a right format. Even I don't know which document you are refereed to. Okay the first problem is...
You are getting this error "This application does not have sufficient permissions against this web resource to perform the operation"
Reason
You have not set API access in your target application on azure portal. To achieve that you have add API access on your application.
Let say you have two Published scopes on your B2C tenant application like below:
Create API Access
To avoid above error Add API access. To do that , go to your application select API access after that you will see a Add button on top. click and right side API access window will be open just click Ok. See the below screen shot:
After successful API Access It should looks like below
Note: Hope It will solve your error while you are trying to send request.
B2C id_token and Access Token
Follow the below steps for Id_token
ID Token Access Process
https://YourB2CTenant.b2clogin.com/tfp/YourB2CTenant.onmicrosoft.com/YourPolicy/oauth2/v2.0/authorize?
client_id= YourApplicationId
&redirect_uri= Your reply from Application
&scope=openid
&response_type=id_token
Take a look below at Id_token:
Note: Just fill out the above format and paste at your browser with no space between. If is it correct then a sign in page will be
prompted. After sign in you will be given id_token on your browser.
B2C Access Token
Follow the below format In POSTMAN:
Grant Type:authorization_code
Callback URL: Your Reply URL
AuthURL:https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/YourFlow/PolicyName/oauth2/v2.0/authorize?
Access Token URL:
https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token?p=YourFlow/PolicyName
Client ID: Your Application Id
Client Secret = Application Key
Scope= any of your Published scopes
Post Man request Process
Go to postman and click on Authorization Tab and Select type as OAuth 2.0 See the below screen shot:
For getting access token click on Get New Access Token You will be prompt following window fill out it with above mentioned format.
After hitting Request Token button you will be prompted a sign in window after successful login you will get access_token in response. Like below:
Note: In B2C there is no supported way to get `Id-Token and access_token together in a single request. You have to achieve it in
separate request. For more details you could refer here
If you still have any problem please feel free to share here in comment. Thank you and happy coding!