Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Only one version of refresh token is being used for any scope.
See original GitHub issueCore Library
MSAL.js v2 (@azure/msal-browser)
Core Library Version
2.14.1
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
We are using Azure B2C custom policy with a RESTful technical profile to get additional claims. Our SPA uses multiple scopes and access tokens to access the WebAPIs. While generating these tokens silently the MSAL library redeems the refresh token generated in the last token request. However, it is not considering/validating the scope while redeeming the refresh token. Only one version of refresh token is maintained in the cache and same being used for generating the token silently for any scope. This is causing a problem in our application flow as the generated token (claims) doesn’t belong to the requested token.
Ex:
-
Generate access token for scope1
- access_token_scope1
- refresh_token
- Claims in access token 1. scope1_claim1 2. scope2_claim2
-
Generate access token for scope2 (MSAL uses refresh_token generated in 1ii above)
- acccess_token_scope2
- refresh_token (replacing the previous one)
- Claims in access token 1. scope1_claim1 2. scope2_claim2
The step 2 should get claims for scope2 (scope2_claim1, scope2_claim2)
I have got following comment from Microsoft support team when raised this with them
in B2C you cannot exchange a refresh token for another with scope different from the one you got it for. B2C refresh tokens, unlike AAD refresh tokens are single-resource refresh tokens. Unfortunately, OBO flow is not supported in B2C so your only recourse seems to be to trigger another authorization code request and exchange that for a different scope access and refresh token pair
Error Message
Generating a token with wrong claims in it.
Msal Logs
No response
MSAL Configuration
{
auth: {
clientId: <APPLICATION_CLIENT_ID>,
authority: <AUTHORITY_URL_WITH_POLICY>,
redirectUri: window.location.origin,
protocolMode: ProtocolMode.AAD
},
cache: {
cacheLocation: cacheLocation,
storeAuthStateInCookie: false,
},
}
Relevant Code Snippets
None
Reproduction Steps
-
Generate access token for scope1
- access_token_scope1
- refresh_token
- Claims in access token 1. scope1_claim1 2. scope2_claim2
-
Generate access token for scope2 (MSAL used refresh_token generated in 1a above)
- acccess_token_scope2
- refresh_token (replacing the previous one)
- Claims in access token 1. scope1_claim1 2. scope2_claim2
The step 2 should get claims for scope2 (scope2_claim1, scope2_claim2)
Expected Behavior
MSAL should create refresh tokens per scope and redeem it when there is a request for access token for the respective scope.
Identity Provider
Azure B2C Custom Policy
Browsers Affected (Select all that apply)
Chrome, Edge
Regression
No response
Source
External (Customer)
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I did follow up with the B2C service team and they said they do have a solution for this and customer support should be able to help you get it enabled. For custom policies it will require some changes to your refresh token user journey and for basic policies they’ll need to enable the feature for your tenant.
Closing as there’s no further action from MSAL.js needed at this time but please feel free to open a new issue if you have any further questions. Thanks!
I’m not aware of a public tracker but you can open a support ticket with B2C here and they can provide status updates for you. You can reference this issue if they need more context.