Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
JWT IdToken AcquireTokenSilentAsync forceRefresh Not Updating After Edit Profile
See original GitHub issueWhich Version of ADAL are you using ? Microsoft.Identity.Client 2.5.0-preview
Which platform has the issue? xamarin iOS
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Repro
public async Task<IIdentifiedConsumer> DisplayIdentifiedConsumerEdit(string email)
{
if (!_configuration.IsAuthenticationSupported)
{
throw new NotSupportedException("MSAL not supported on this device.");
}
var editTask = _pca.AcquireTokenAsync(
B2CConfig.Scopes,
loginHint: email,
UIBehavior.Consent,
string.Empty,
null,
B2CConfig.AuthorityEditProfile,
_uIParent);
_analytics.TrackPage(default(EditAnalyticPage));
// Wait for User to complete Edit
var ar = await editTask;
_analytics.TrackEvent(default(EditProfileEvent));
var edit_idc = new IdentifiedConsumer(ar);
// Try to Update the PolicySignUpSignIn Values
var susi_idc = await FetchIdentifiedConsumerInternal(forceRefresh: true);
var idc = susi_idc ?? edit_idc;
return idc;
}
private async Task<IIdentifiedConsumer> FetchIdentifiedConsumerInternal(bool forceRefresh = false)
{
var accounts = await _pca.GetAccountsAsync();
var account = GetAccountByPolicy(accounts, B2CConfig.PolicySignUpSignIn);
var ar = await _pca.AcquireTokenSilentAsync(
B2CConfig.Scopes,
account,
B2CConfig.Authority,
forceRefresh);
return new IdentifiedConsumer(ar);
}
Given
A User has successfully edited their Profile given_name and family_name via an “EditProfile” Policy and an AuthenticationResult has been returned to the App with an IdToken/JWT that contains the newly edited values
Expected behavior
A subsequent call to AcquireTokenSilentAsync with forceRefresh=true to update the “SignInSignUp” Policy should result in an AuthenticationResult that contains the newly edited given_name and family_name values in the IdToken JWT.
Actual behavior
A subsequent call to AcquireTokenSilentAsync with forceRefresh=true to update the “SignInSignUp” Policy results in an AuthenticationResult that DOES NOT contain the newly edited given_name and family_name values in the IdToken JWT.
Possible Solution
AcquireTokenSilentAsync with forceRefresh=true should force a new IdToken/JWT to be pulled from the Network with that latest values available in Active Directory.
Workaround
Remove the account(s) after edit, which will force the User to re-login.
After the User logs in again, the AuthenticationResult result for the “SignInSignUp” Policy will contain the newly edited given_name and family_name values in the IdToken JWT.
var accounts = await _pca.GetAccountsAsync();
var account = GetAccountByPolicy(accounts, B2CConfig.PolicySignUpSignIn);
await _pca.RemoveAsync(account);
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@mikerunnals thanks for the additional information in email. Things look good from our library perspective, and am waiting to hear back from B2C. Will keep you posted.
Update from B2C
Workaround: Use the refresh token for the edit-profile policy, or which ever token was used last. This will ensure the updated claims are included. They will also need to include on their server the edit_profile policy, as of now, they only have sign-in/sign-up policy there, so in order to take RTs from edit_profile, they need to include this policy as well.
@mikerunnals Closing, as not related to MSAL, but will update here when the B2C fix is out. cc: @jmprieur @parakhj