MSAL 3 against B2C throws MsalServiceException AADSTS50049
See original GitHub issueWhich Version of MSAL are you using ?
<PackageReference Include="Microsoft.Identity.Client" Version="3.0.8" />
Platform
- netcoreapp2.2
What authentication flow has the issue?
- Web App, Authorization code using AAD-B2C
Is this a new or existing app? The app is in production with MSAL 2.7.0, and I have upgraded to MSAL 3.0.8 on my dev-branch
Repro
Inside my implementation of IConfigureNamedOptions<OpenIdConnectOptions>
:
/// <inheritdoc />
public void Configure(string name, OpenIdConnectOptions options)
{
options.ClientId = _azureAdB2COptions.ClientId;
options.Authority = _azureAdB2COptions.Authority;
options.UseTokenLifetime = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "name"
};
// hook to OpenId events
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = OnRedirectToIdentityProviderAsync,
OnRemoteFailure = OnRemoteFailureAsync,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
};
}
/// <summary>
/// Is called whenever B2C retrieves a new auth token.
/// </summary>
/// <param name="context">The context of the received authentication, including the code.</param>
public async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedContext context)
{
var clientApplication = ConfidentialClientApplicationBuilder
.Create(_azureAdB2COptions.ClientId)
.WithAuthority(_azureAdB2COptions.Authority, false)
.WithRedirectUri(_azureAdB2COptions.RedirectUri)
.WithClientSecret(_azureAdB2COptions.ClientSecret)
.Build();
// try to retrieve the bearer token
try
{
var result = await clientApplication.AcquireTokenByAuthorizationCode(_azureAdB2COptions.ApiScopes.Split(' '), context.ProtocolMessage.Code).ExecuteAsync();
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
Trace.TraceError(ex.Message);
throw;
}
}
Expected behavior
When calling clientApplication.AcquireTokenByAuthorizationCode
I want to receive a authentication token.
Actual behavior
Calling clientApplication.AcquireTokenByAuthorizationCode
thows an MsalServiceException
with the message "AADSTS50049: Unknown or invalid instance.\r\nTrace ID: 9d5948e6-486f-4ea8-b28c-21af7b681b00\r\nCorrelation ID: 3be8e81f-9bc2-45c9-bbbd-062a71a99b57\r\nTimestamp: 2019-05-21 14:48:15Z"
Possible Solution From what I’ve researched so far this issue used to be resolved by disabling the authority validation. As far as I can see I did just that. Did I miss something?
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (5 by maintainers)
Top GitHub Comments
@devdeer-stephan : yes tokenArgs.Account.HomeAccountId.ObjectId is a good key. Or otherwise tokenArgs.Account.Identifier which concatenates the tenant Id and the object id.
@devdeer-stephan : the right way to handle the cache is to subscribe to the serialization events. Please see this PR about what’s right to do: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/106
proposing to close this issue. Don’t hesitate to reopen (or open a more explicit issue) if you disagree