Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Incorrect access token for API scope when using a personal Microsoft account

See original GitHub issue

Library

@azure/msal-browser@2.1.0
@azure/msal-common@1.2.0

Framework

AngularJS 1.6.1

Description

Setup:

Frontend SPA (AngularJS) and a backend. Both access Graph APIs on behalf of the user.
1 Azure app.
API scope under “Expose an API” in Azure (eg: api://1ae23a84-215a-4bd5-ae99-d54f1b7b211a/access_as_user).

In the browser, login with:

msal.acquireTokenPopup({
  prompt: 'select_account',
  redirectUri: "https://local.com/redirect_microsoft.html",
  scopes: ["profile", "email", "openid", "offline_access", "user.read", "files.readwrite.all"],

  // Get consent for this scope, but it won't be included in the access token
  extraScopesToConsent: ["api://1ae23a84-215a-4bd5-ae99-d54f1b7b211a/access_as_user"]
})

This works correctly so far for personal and business Microsoft accounts.

Next, try to get an access token for the API scope. The returned token will be passed to our API, which uses the OBO flow to exchange it for its own access and refresh token. We store the refresh token for future use.

msal.acquireTokenSilent({
  scopes: ["api://1ae23a84-215a-4bd5-ae99-d54f1b7b211a/access_as_user"],
  account: account // from the result of acquireTokenPopup()
})

In @azure/msal-browser 2.0.2 this step would fail for personal Microsoft accounts with the error ClientAuthError: null_or_empty_id_token: The idToken is null or empty. It succeeds in 2.1.0 even though the id token is not present. It works for non-personal Microsoft accounts in both versions, and includes an id token. I don’t know why personal accounts do not get an id token here.

The access token is then passed to our API to perform the OBO flow. It works for non-personal Microsoft accounts, but fails for personal accounts with the error:

{
    "error": "invalid_request",
    "error_description": "AADSTS90023: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.\r\nTrace ID: 32db7dc0-ab90-4a03-94bc-69522f919100\r\nCorrelation ID: 3b10fa8d-0527-4cad-a459-206f4086a731\r\nTimestamp: 2020-08-26 07:27:14Z",
    "error_codes": [
        90023
    ],
    "timestamp": "2020-08-26 07:27:14Z",
    "trace_id": "32db7dc0-ab90-4a03-94bc-69522f919100",
    "correlation_id": "3b10fa8d-0527-4cad-a459-206f4086a731"
}

Regression

Did not work in 2.0.2.

MSAL Configuration

new PublicClientApplication({
  auth: {
    clientId: "<<client id here>>",
  },
  cache: {
    cacheLocation: "sessionStorage",
    storeAuthStateInCookie: false,
  }
})

Expected behavior

acquireTokenSilent should return an access token that is valid when used in the OBO flow for personal Microsoft accounts.

I’m not sure if this is actually a bug in MSAL. It may be a problem somewhere else with personal Microsoft accounts, or perhaps we aren’t using the OAuth APIs correctly.

Browsers/Environment

Chrome

Issue occurs with multiple personal Microsoft accounts.

Issue does not occur in testing with non-personal accounts across several different tenants.

Issue Analytics

State:
Created 3 years ago
Comments:14 (4 by maintainers)

Top GitHub Comments

1reaction

hpsincommented, Jan 28, 2021

Yup, for the issue you ran into. Per OIDC if you want a refresh token you need to request it, so certainly that’s the more standards-based way of making this work.

1reaction

hectormmgcommented, Aug 27, 2020

@jviney thanks for raising the issue. We believe this is an issue with the AAD service and we’ve raised this issue with that team. We’ll let you know when we have further information.