Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
MSAL 3 against B2C throws MsalServiceException AADSTS50049
See original GitHub issueWhich Version of MSAL are you using ?
<PackageReference Include="Microsoft.Identity.Client" Version="3.0.8" />
Platform
- netcoreapp2.2
What authentication flow has the issue?
- Web App, Authorization code using AAD-B2C
Is this a new or existing app? The app is in production with MSAL 2.7.0, and I have upgraded to MSAL 3.0.8 on my dev-branch
Repro
Inside my implementation of IConfigureNamedOptions<OpenIdConnectOptions>:
/// <inheritdoc />
public void Configure(string name, OpenIdConnectOptions options)
{
options.ClientId = _azureAdB2COptions.ClientId;
options.Authority = _azureAdB2COptions.Authority;
options.UseTokenLifetime = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "name"
};
// hook to OpenId events
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = OnRedirectToIdentityProviderAsync,
OnRemoteFailure = OnRemoteFailureAsync,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
};
}
/// <summary>
/// Is called whenever B2C retrieves a new auth token.
/// </summary>
/// <param name="context">The context of the received authentication, including the code.</param>
public async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedContext context)
{
var clientApplication = ConfidentialClientApplicationBuilder
.Create(_azureAdB2COptions.ClientId)
.WithAuthority(_azureAdB2COptions.Authority, false)
.WithRedirectUri(_azureAdB2COptions.RedirectUri)
.WithClientSecret(_azureAdB2COptions.ClientSecret)
.Build();
// try to retrieve the bearer token
try
{
var result = await clientApplication.AcquireTokenByAuthorizationCode(_azureAdB2COptions.ApiScopes.Split(' '), context.ProtocolMessage.Code).ExecuteAsync();
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
Trace.TraceError(ex.Message);
throw;
}
}
Expected behavior
When calling clientApplication.AcquireTokenByAuthorizationCode I want to receive a authentication token.
Actual behavior
Calling clientApplication.AcquireTokenByAuthorizationCode thows an MsalServiceException with the message "AADSTS50049: Unknown or invalid instance.\r\nTrace ID: 9d5948e6-486f-4ea8-b28c-21af7b681b00\r\nCorrelation ID: 3be8e81f-9bc2-45c9-bbbd-062a71a99b57\r\nTimestamp: 2019-05-21 14:48:15Z"
Possible Solution From what I’ve researched so far this issue used to be resolved by disabling the authority validation. As far as I can see I did just that. Did I miss something?
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@devdeer-stephan : yes tokenArgs.Account.HomeAccountId.ObjectId is a good key. Or otherwise tokenArgs.Account.Identifier which concatenates the tenant Id and the object id.
@devdeer-stephan : the right way to handle the cache is to subscribe to the serialization events. Please see this PR about what’s right to do: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/106
proposing to close this issue. Don’t hesitate to reopen (or open a more explicit issue) if you disagree