I am using https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal and can go thru the interactive login flow fully, but I never get the tokens properly back. When I do a Run Flow on the policy in AD B2C portal I get the tokens back when I redirect to jwt.ms.
I have enabled the verbose and pii logging as well. The authority url is resolving properly.
I have enabled both Access token and ID Token for the implicit flow in the azure portal as well. I have tried passing in a blank array of scopes as well as 'openid'/etc and that tells me that those are reserved and not to pass in.
If I had the token, I plan to hit azure functions (not graph like in the sample).
Any help would be greatly appreciated as I have spent a lot of time researching this. I saw on a stackoverflow thread that "msal" was incorrect in the documentation and to update to msauth.clientid://auth, which I have also tried to no avail.
I am logging in as a local account that was previously created.
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Requiring default broker type due to app being built with iOS 13 SDK
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] -[MSALPublicClientApplication acquireTokenWithParameters:(
)
extraScopesToConsent:(null)
account:(null)
loginHint:(null)
promptType:MSALPromptTypeSelectAccount
extraQueryParameters:(null)
authority:<MSALB2CAuthority: 0x600000b100e0>
webviewType:MSALWebviewTypeSafariViewController
customWebview:No
correlationId:(null)
capabilities:(null)
claimsRequest:(null)]
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Beginning interactive flow.
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolving authority: https://......b2clogin.com/tfp/......onmicrosoft.com/B2C_1_tes_sign_up_and_sign_in, upn: (null)
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolved authority, validated: NO, error: 0
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Start background app task with type 0
Received callback!
Received callback!
Received callback!
Received callback!
Received callback!
msauth.com.microsoft.identity.client.sample.msaliosb2c://auth/?state=REJEQTM3MDAtMUNGMC00MEVGLTkwRTMtRUU0NDUxOTIxNjgy&client_info=eyJ1aWQiOiI5MmMyMWFmZS04MmRmLTQyZmQtOGQxZC1kOTM5MzIxNzJiZjgtYjJjXzFfdGVzX3NpZ25fdXBfYW5kX3NpZ25faW4iLCJ1dGlkIjoiYzc5OTBkMTAtN2RkMy00Y2MxLTg0NDAtYmFlNjM3NmYzZjdkIn0&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..utC9PGZsSCucrxsi.YX7_K2EsSN0FC7xmbBuiih9kpX_kiiAfk18ttdcf1fgzbJdpxtlKE45LDow49h-CTu4BeNLCGeUD4ZPPUqEs6zrahnRppXbxpkEZFejllpumfjaCI6Au0BUWjRWX_ChHSTPY2d2C6X0rNpWSp9mvRDKwQlR-4f-jBzqpHGwGJhSTI2eO4dXE1P_wJJ0tAE5BVARbnb5bEPY6RMCpcXHDakGhcaQzBqXsmGIKuZASWOKGKgB-k-aXj2wB-DuprEIK168Gmvy41IO20C9kGtYpezcFtbEeH-yp53nu-2pdw8dxV3IVpECyQzYw3mVL0_wb0LsMN4dHonHqnXcjdghxSv1X75Haz_HRyisZTZ0bCHEx-4IN8mkEokIvJG54zM5DY36ZgIbJEUGhmx_dJinphRqjD13utQAhVyrHjA1_oGnPVZ_RJJh2pL_MRPaaWrj3kbcpudxjvPwdA9OIur6t71BIVA-uAbnMn-J6ORlbuPhQT4p-6XDC1h068huqjKgCEWADoIFzH7Hd8gOHjrc-Nc0EXY33ln_NXz9pYLtde-WhTC4O_gmE36Hw4p_4cD0_FfyWb57sfb_5GUllhkZKJWVfxa2V7WD28whVlEn0ksbkMbedBsuhcX0.di8cR8t0DcTKLlPvfJrLZQ
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] Stop background task with type 0
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] No cached preferred_network for authority
%# TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Sending network request: (not-null), headers: (not-null)
%# TID=31634 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] session:didReceiveChallenge:completionHandler - nsurlauthenticationmethodservertrust. Host: ........b2clogin.com. Previous challenge failure count: 0
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Received network response: (not-null), error (null)
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Parsed response: (not-null), error (null), error domain: (null), error code: 0
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] Unsuccessful token response, error Error Domain=MSIDErrorDomain Code=-51100 "(null)" UserInfo={MSIDCorrelationIdKey=FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0, MSIDErrorDescriptionKey=Authentication response received without expected accessToken}
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Interactive flow finished result (null), error: -51100 error domain: MSIDErrorDomain
%# TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] acquireToken returning with error: (MSALErrorDomain, -50000) Authentication response received without expected accessToken
The resolution to this issue is one that I want to post for others as it could really use some improvement in the documentation or error codes. I don't think it only applies to Azure Function apis.
In the azure b2c portal, if you run the signin flow, your browser will show scope of openid (might have had profile as well). So, you would think that when using MSAL, you would pass this as a scope as well. If you do, you get an error message stating that openid and profile are reserved scopes that MSAL manages and to not pass them in.
You would think that is great, it is handled for you, and is not causing an issue where you are not getting your tokens and to move on and look for other issues... whereby leaving the scopes as a blank array. You may not even need a special scope or permission in your api to restrict users.
However, it ended up that if you go to "expose an api" in the azure b2c tenant area, it will state that you must create at least one custom scope and at least one permission and that you must request at least one custom scope. Also, you must set an App ID URI. Create a custom scope, pass it in thru MSAL, and you get your token.
So you don't need a custom scope or have specified an App ID Uri when running the flow from azure portal, but you do if you are using MSAL. There must be a reason for this but it doesn't really make sense to me at the moment.
Hope this helps someone.
You could get both Access token and ID Token with implicit flow. If you get id_token but not access_token, check response_type to contain token, not just id_token.
Note: make sure add the scope format like this: https://YOUR_TENANT.onmicrosoft.com/api/user_impersonation
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=id_token+token
&redirect_uri=xxxxx
&response_mode=fragment
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fxxxx%2Fuser_impersonation
&state=123456
&nonce=12345
The answer did help me get on the right path, but the problem was a bit different.
I used the following scopes:
https://tenantname.onmicrosoft.com/APINAME/write
https://tenantname.onmicrosoft.com/APINAME/read
I implemented this in the following way:
kScopes =
["https://tenantname.onmicrosoft.com/(String(describing:
kAPI))/write", "https://tenantname.onmicrosoft.com/(String(describing:
kAPI))/read"]
This did not work because it made the following string "https://tenantname.onmicrosoft.com("APINAME")/read".
stackoverflow removes a couple of \ in between there but you get the point.
Related
I am trying to use Google as an identity provider in an ADB2C SignInSignUp userflow, consumed within a React Native app through a WebView.
When I am testing this I am hitting an error that I cannot seem to find the cause of. Upon signing up with google I receive the following response object:
{"canGoBack": true, "canGoForward": false, "loading": false, "target": 99, "title": "Loading...", "url": "https://TENANT.b2clogin.com/TENANT.onmicrosoft.com/oauth2/authresp?state=StateProperties%3DeyJTSUQiOiJ4LW1zLWNwaW0tcmM6NjIxMDMyYTYtZTVlZC00OTJkLTg1NmMtMTAzYzg3Mzc0YmE3IiwiVElEIjoiZDM5ZTgwY2MtNzJlNy00ZGE5LWJjODYtMGRjZGNlN2Q1MDZlIiwiVE9JRCI6IjRkOTkyMzhiLTBhOGEtNGU0Ny1hYTRkLTk5NTZiYTY3NmE5YyJ9&code=4%2F0AX4XfWhrpKK2DDX58pFTHkb_U2e8SvGnLrPvhI4grUn5ojA5R-q7q4KjcdS1tO4DYemuWQ&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none#"}
Typically I would receive the fully formatted token back in this response, which I then use for server side validation. This works when signing up with Apple and as a B2C user when pressing 'Sign up now' on the userflow.
The token returned in this is not formatted correctly and doesn't follow 'code=' in the response url as I usually get when signing in or up through the other methods, and therefore throws an error of :'AADB2C90090: The provided JWE is not a valid 5 segment token.' when trying to parse what follows StateProperties.
Does anybody know why Google would not return a valid token in the same way that Apple/Microsoft do when signing up?
Any help would be greatly appreciated
Please check few workarounds:
Try to include client id in scope along with other scopes
2.Try mentionin Response_mode=form_post in auth request
In some cases its working with other versions , so try Msal version 4.32. see Issue · GitHub
According to sign-in with a Google account - Azure AD B2C | Microsoft Docs make sure to create app registered in google’s console
Also note from the same document and this blog:
References:
jwt - Azure AD B2C - Token validation does not work - Stack Overflow
Azure Active Directory B2C - Authorization code encoding issue
(microsoft.com)
Looking for some answer. First time using Azure AD for authentication on ASP.Net Core and we have registered the app on azure for both my local and Dev-Server. Its working running on my laptop but after deploying to Dev server and changing the Client ID Value, it keeps giving me this error
*SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'.
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()*
Thank you in advance.
Danny
Thank you #User 45323833 posting your suggestion as an answer to help other community members.
" Solution from Microsoft: This problem caused due to your app registration:
May you have defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
If a scope will be set from Graph API, the token can just be validated from Graph!
You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
To solve the problem please follow the below steps :
To protect our own custom API, you have to register an application to represent it on Azure AD and obtain an access_token/id_token for it.
Section - Expose an API: Create a new scope: name = access_as_user
Section - API permissions: Add a new permission for your registered application and your scope access_as_user
Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfully validated."
For more information please refer this GitHub issue IDX10511: Signature validation failed. Keys tried: & Microsoft Documentation: Azure AD authentication with ASP.Net core web application
I have an app that displays user's instagram media(like some of the dating apps).
Also, my app has been reviewed successfully for permissions - instagram_graph_user_profile and instagram_graph_user_media and is in live mode.
But in the Facebook Developer Console, the instagram icon is not turning up green.
Please refer the screenshot.
https://drive.google.com/open?id=1VnMHLqjTf1oRbvcm2g8Ol80AfB3JqMOg
Flow to display the media is as follows.
1. My app ask users to authorize using
https://api.instagram.com/oauth/authorize?client_id=instagram-app-id&redirect_uri=redirect_uri&scope=scope&response_type=code&state=state
2. Above api responds with a code.Then backend calls -
https://api.instagram.com/oauth/access_token
with params - client_id, client_secret, code, grant_type, redirect_uri
3. Once I receive token from above API, I request long lived token from short-lived token using -
https://graph.instagram.com/access_token?grant_type=ig_exchange_token&client_secret=xyz&access_token=abc
4. Using the long lived token, server requests user info using API -
https://graph.instagram.com/me?fields=id,username&access_token=abc
5. Using the same long lived token, server makes request to get user media using API -
https://graph.instagram.com/me/media?fields=id,media_type,media_url,username,caption,timestamp&access_token=abc
This flow works only for test users(Instagram test users who accepted invitation of being a tester in Instagram Developer Platform).
When non-test user tries to view media, on step 3, I get an error saying -
{ "error": {
"message": "Unsupported get request.",
"type": "IGApiException",
"code": 100,
"fbtrace_id": "A0A24rNXCScki9Ck-8J_55b" } }
Am I missing something?
This is how I see my Business API Settings.
Please refer the screenshot.
https://drive.google.com/open?id=1Dfdihf20krEcYEmoh8z43_a1T5UQStXr
Under my App review section, I do not see any relevant permission that needs to be reviewed again.
Edit 1 -
Note - My app is in beta mode (not yet live on play store).
Could this be the reason?
I just went through a similar process getting my app ready for the old API to officially depreciate. I finally found this— hope it helps:
https://developers.facebook.com/community/threads/2219648518091109/
"After your app has been approved, you can get the contract from your Business Manager. You need to do it on a Computer (mobile wont work) and have to be an Admin on the Business.
From your business Manager you just go to Business Info -> Business Contract (https://business.facebook.com/settings/info)
Please, let us others if this answer helped you!"
Thanks to Juanu for sharing!
I’m using MS ADAL for login authentication in ionic 3.
Plugin: https://ionicframework.com/docs/v3/native/ms-adal/
Login screen appearing , when i'm login, its sending issue,
getting error :
"AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."
code:
authContext.acquireTokenAsync(‘https://graph.windows.net’, ‘4324dsad-b5c3’, ‘http://localhost:8000’,"","")
.then((authResponse: AuthenticationResult) => {
console.log(‘Token is’ , authResponse.accessToken);
console.log(‘Token will expire on’, authResponse.expiresOn);
})
.catch((e: any) => console.log(‘Authentication failed’, e));
According to the error, you may login with a personal Microsoft account. But Azure AD authentication library (ADAL) uses v1.0 endpoint, it does not allow personal Microsoft account to sign in, the v1.0 endpoint allows only work and school accounts to sign in to your application.
See this link:https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison#who-can-sign-in
I have an Azure App service secured by Active Directory authentication
I can successfully get tokens for Active Directory users that will authorise access requests to an API secured on the 'azurewebsites.net' domain
I wish to use B2C so people can sign up
I have created a B2C tenant, added API 'user_impersonation' scopes and granted access
I log in to the B2C tenant on my native app and receive a token
Unlike the AAD token, this one does NOT grant access to the secure API mentioned above
This is debug output returned in my Visual Studio instance when logging into the B2C account, confirming a token is being returned
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Checking client info returned from the server..
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Saving Token Response to cache..
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Looking for scopes for the authority in the cache which intersect with https://alfretonb2c.onmicrosoft.com/backends/user_impersonation
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Intersecting scope entries count - 0
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Matching entries after filtering by user - 0
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] Saving RT in cache...
Info (False) MSAL 2.7.1.0 MSAL.Xamarin.iOS 12.2 [04/30/2019 20:15:01 - bbc5a55f-7c7a-4cf0-ac5a-ed39a614f17f] === Token Acquisition finished successfully. An access token was returned with Expiration Time: 04/30/2019 21:15:01 +00:00 ===
The expected result is a token from the B2C directory that I can then use to send secure requests to an API secured by Active Directory authentication at App service level
Instead, I am simply receiving
You do not have permission to view this directory or page.