JWT IdToken AcquireTokenSilentAsync forceRefresh Not Updating After Edit Profile
See original GitHub issueWhich Version of ADAL are you using ? Microsoft.Identity.Client 2.5.0-preview
Which platform has the issue? xamarin iOS
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Repro
public async Task<IIdentifiedConsumer> DisplayIdentifiedConsumerEdit(string email)
{
if (!_configuration.IsAuthenticationSupported)
{
throw new NotSupportedException("MSAL not supported on this device.");
}
var editTask = _pca.AcquireTokenAsync(
B2CConfig.Scopes,
loginHint: email,
UIBehavior.Consent,
string.Empty,
null,
B2CConfig.AuthorityEditProfile,
_uIParent);
_analytics.TrackPage(default(EditAnalyticPage));
// Wait for User to complete Edit
var ar = await editTask;
_analytics.TrackEvent(default(EditProfileEvent));
var edit_idc = new IdentifiedConsumer(ar);
// Try to Update the PolicySignUpSignIn Values
var susi_idc = await FetchIdentifiedConsumerInternal(forceRefresh: true);
var idc = susi_idc ?? edit_idc;
return idc;
}
private async Task<IIdentifiedConsumer> FetchIdentifiedConsumerInternal(bool forceRefresh = false)
{
var accounts = await _pca.GetAccountsAsync();
var account = GetAccountByPolicy(accounts, B2CConfig.PolicySignUpSignIn);
var ar = await _pca.AcquireTokenSilentAsync(
B2CConfig.Scopes,
account,
B2CConfig.Authority,
forceRefresh);
return new IdentifiedConsumer(ar);
}
Given
A User has successfully edited their Profile given_name
and family_name
via an “EditProfile” Policy and an AuthenticationResult
has been returned to the App with an IdToken/JWT that contains the newly edited values
Expected behavior
A subsequent call to AcquireTokenSilentAsync
with forceRefresh=true
to update the “SignInSignUp” Policy should result in an AuthenticationResult
that contains the newly edited given_name
and family_name
values in the IdToken JWT.
Actual behavior
A subsequent call to AcquireTokenSilentAsync
with forceRefresh=true
to update the “SignInSignUp” Policy results in an AuthenticationResult
that DOES NOT contain the newly edited given_name
and family_name
values in the IdToken JWT.
Possible Solution
AcquireTokenSilentAsync
with forceRefresh=true
should force a new IdToken/JWT to be pulled from the Network with that latest values available in Active Directory.
Workaround
Remove the account(s) after edit, which will force the User to re-login.
After the User logs in again, the AuthenticationResult
result for the “SignInSignUp” Policy will contain the newly edited given_name
and family_name
values in the IdToken JWT.
var accounts = await _pca.GetAccountsAsync();
var account = GetAccountByPolicy(accounts, B2CConfig.PolicySignUpSignIn);
await _pca.RemoveAsync(account);
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (3 by maintainers)
Top GitHub Comments
@mikerunnals thanks for the additional information in email. Things look good from our library perspective, and am waiting to hear back from B2C. Will keep you posted.
Update from B2C
Workaround: Use the refresh token for the edit-profile policy, or which ever token was used last. This will ensure the updated claims are included. They will also need to include on their server the edit_profile policy, as of now, they only have sign-in/sign-up policy there, so in order to take RTs from edit_profile, they need to include this policy as well.
@mikerunnals Closing, as not related to MSAL, but will update here when the B2C fix is out. cc: @jmprieur @parakhj