Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

B2C & PCA: Missing scopes in token

See original GitHub issue

MSAL 4.35.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise

Issue: Everything runs fine when getting the token but no scopes are in the token according to jwt.ms Note: “signInAudience”: “AzureADandPersonalMicrosoftAccount” is on for everything.

Am I doing something wrong?


MSAL Info True True MSAL 4.35.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [22.69 - <logid>] 
=== Request Data ===
Authority Provided? - True
Client Id - <DesktopClientid>
Scopes - https://<B2CTenant>.onmicrosoft.com/<APIid>/read https://<B2CTenant>.onmicrosoft.com/<APIid>/write
Redirect Uri - msal<DesktopClientid>://auth
Extra Query Params Keys (space separated) - 
ClaimsAndClientCapabilities - 
Authority - https://<B2CTenant>.b2clogin.com/tfp/<B2CTenant>.onmicrosoft.com/B2C_1_SignUpOrIn/
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint - 
IsBrokerConfigured - False
HomeAccountId - 
CorrelationId - <logid>

MSAL Info True True MSAL 4.35.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [22.70 - <logid>] === Token Acquisition (InteractiveRequest) started:
	Authority: https://<B2CTenant>.b2clogin.com/tfp/<B2CTenant>.onmicrosoft.com/B2C_1_SignUpOrIn/
	Scope: https://<B2CTenant>.onmicrosoft.com/<APIid>/read https://<B2CTenant>.onmicrosoft.com/<APIid>/write
	ClientId: <DesktopClientid>
	
  [22.70 - <logid>] [Instance Discovery] Skipping Instance discovery for non-AAD authority. 
  [22.70 - <logid>] Using legacy embedded browser.
  [38.77 - <logid>] [Legacy WebView] Redirect URI was reached. Stopping WebView navigation...
  [38.79 - <logid>] An authorization code was retrieved from the /authorize endpoint. 
  [38.79 - <logid>] Exchanging the auth code for tokens. 
  [38.80 - <logid>] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: Embedded
ExtraScopesToConsent: 
Prompt: select_account
HasCustomWebUi: False

  [40.54 - <logid>] Checking client info returned from the server..
  [40.54 - <logid>] Saving token response to cache..
  [40.56 - <logid>] Subject not present in Id token. 
  [40.56 - <logid>] Saving AT in cache and removing overlapping ATs...
  [40.56 - <logid>] Looking for scopes for the authority in the cache which intersect with https://<B2CTenant>.onmicrosoft.com/<APIid>/read https://<B2CTenant>.onmicrosoft.com/<APIid>/write
  [40.56 - <logid>] Intersecting scope entries count - 0
  [40.56 - <logid>] Matching entries after filtering by user - 0
  [40.56 - <logid>] Saving Id Token and Account in cache ...
  [40.56 - <logid>] Saving RT in cache...
MSAL Info True True MSAL 4.35.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [40.57 - <logid>] Fetched access token from host <B2CTenant>.b2clogin.com. Endpoint https://<B2CTenant>.b2clogin.com/tfp/<B2CTenant>.onmicrosoft.com/b2c_1_signuporin/. 
  [40.57 - <logid>] 
	=== Token Acquisition finished successfully:
MSAL Info True True MSAL 4.35.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [40.57 - <logid>]  AT expiration time: 31/08/2021 1:55:40 AM +00:00, scopes https://<B2CTenant>.onmicrosoft.com/<APIid>/write https://<B2CTenant>.onmicrosoft.com/<APIid>/read source IdentityProvider from https://<B2CTenant>.b2clogin.com/tfp/<B2CTenant>.onmicrosoft.com/b2c_1_signuporin/ appHashCode 45562078

Issue Analytics

State:
Created 2 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

RhomGitcommented, Sep 7, 2021

Nevermind, I found the problem. I was using the wrong property on AuthResult (idToken instead of AccessToken).

1reaction

bgavrilMScommented, Aug 31, 2021

Can you give a few more details about what you are trying to do?

you have a desktop app and you call AcquireTokenInteractive
you ask for 2 scopes, which are scopes for your own web API?
do the desktop app and the web api have the same client id?
are the desktop app and the web api defined in a B2C tenant or is one of them an non-B2C tenant (il.e. AAD tenant)

Top Results From Across the Web

Scope missing in access token claims in Azure B2C OAuth ...

1 Answer 1 ... Please note that, client-credentials grant type works with Application permissions only. As your exposed API scope is Delegated, it ......

Azure AD B2C - access_token missing

Hi, I've been testing Azure AD B2C and I have setup: * IDProvider ... All the microsoft documentations show access_token but no id_token:...

Using msal-react for React app authentication

Integrate a React app with msal-react, the Azure AD B2C authentication service, for smooth user authentication in React applications.

msal_flutter - Dart API docs

To use MSAL Flutter in your library, first setup an Azure AD B2C tenant and mobile client ... function passing the scopes you...

MATLAB pca - Principal component analysis of raw data

This MATLAB function returns the principal component coefficients, ... Error using pca (line 180) Raw data contains NaN missing value while 'Rows' option...