Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AccessToken empty after upgrading to 2.2.0 for ADB2C

See original GitHub issue

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.2.0
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angularjs@1.x.x

Important: Please fill in your exact version number above, e.g. msal@1.1.3.

Framework

Description

After updating to v2.2.0 from v2.1.0 and trying to login using my ADB2C account, the accessToken is not present for either loginRedirect or acquireTokenSilent and I get stuck in a loop of always trying to login.

Using the same code, I have no issues with my ADB2C (Azure AD) app.

Side note: This error is still happening, even though it’s been said it should be fixed BrowserAuthError: interaction_in_progress: Interaction is currently in progress. Please ensure that this interaction has been completed before calling an interactive API.

Error Message

Security

Is this issue security related?

Regression

Did this behavior work before? Version:

MSAL Configuration

loginRequest = {
            scopes: ["openid", "profile", "offline_access"]
}

Reproduction steps

Call loginRedirect with your AuthorizationUrlRequest that has scopes on it, sign in with ADB2C account and in your handleRedirectPromise the accessToken is empty.

Expected behavior

Token should be returned as before

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:66 (2 by maintainers)

Top GitHub Comments

6reactions

tnorlingcommented, Oct 9, 2020

Update: When exchanging a refresh token for a new access token the server will only respond with an access token for the scopes that were requested when obtaining that refresh token. This was by design but we are going to work with the server team to see if this behavior can be changed. Full disclosure: it will probably take some time to decide on and implement a fix.

The reason it appeared to work in a previous version was because acquireTokenSilent falls back to ssoSilent when the refresh fails and ssoSilent goes through the full flow of getting and exchanging an Auth Code for new tokens (this is what was succeeding, not the exchange of the refresh token). When we updated the refresh flow to include scopes openid and profile, the refresh succeeded with a refreshed id_token and silently rejected the access token scope since it was not included in the initial request.

So now that we understand the behavior, this is the workaround until we have a more concrete solution for B2C: Call loginRedirect or loginPopup with your first set of scopes. acquireTokenSilent should succeed until you need a different set of scopes. When you need a 2nd set of scopes you can call ssoSilent in environments were 3rd party cookies are not blocked (i.e. not Safari or Chrome Incognito browsers) or acquireTokenRedirect/acquireTokenPopup if calling ssoSilent is not possible. Afterwards acquireTokenSilent should succeed for the next hour for both sets of scopes, as they will be cached. Unfortunately, once a token expires you will likely experience this problem again and you’ll need to call one of the Auth Code APIs again.

I know this isn’t an ideal solution but I hope it will unblock you for the time being.

4reactions

zzzachzzzcommented, Feb 4, 2021

@digitalcraftco This solution also worked for me. Either the client ID, or a custom scope can be used. I’m using B2C to secure access to an API, so I created a custom scope for a separate registered app for the API.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/access-tokens#scopes