Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Updating causes a switch from v2 token to invalid v1 token

See original GitHub issue

Library

msal@1.4.0
@azure/msal-browser@2.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.1.1
@azure/msal-angularjs@1.x.x

Framework

Description

Updating from

@azure/msal-angular     1.0.0  →    1.1.1   
msal                    1.3.4  →    1.4.0

Causes a switch in the token sent to self (localhost). Before it was a v2 token. Now it’s a v1 token, and on top of that the signature is invalid.

None of the changelogs indicated this switch. Or the invalid token.

Error Message

Response headers:

server: Kestrel
status: 401
www-authenticate: Bearer error="invalid_token", error_description="The signature is invalid"

Security

Is this issue security related?

Regression

Did this behavior work before? Version:

@azure/msal-angular     1.0.0
msal                    1.3.4

MSAL Configuration

const msalConfig: Configuration = {
  auth: {
    authority:
      "https://login.microsoftonline.com/hidden/",
    clientId: "hidden",
    navigateToLoginRequestUrl: true,
    postLogoutRedirectUri: "http://localhost:4200/logged-out",
  },
  cache: {
    cacheLocation: "localStorage",
  },
};
const msalAngularConfig: MsalAngularConfiguration = {
  consentScopes: ["User.Read", "User.Read.All", "openid", "profile"],
  popUp: true,
  protectedResourceMap: [
    ["https://graph.microsoft.com", ["profile", "User.Read", "User.Read.All"]],
  ],
};

Reproduction steps

In my ASP.NET Core backend I have

services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
    // This is a Microsoft identity platform web API.
    options.Authority += "/v2.0";
});

In angular I use the MsalInterceptor

providers: [
    {
      multi: true,
      provide: HTTP_INTERCEPTORS,
      useClass: MsalInterceptor,
    },
    MsalService,
]

Expected behavior

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Issue Analytics

State:
Created 3 years ago
Comments:11 (7 by maintainers)

Top GitHub Comments

1reaction

jmckennoncommented, Sep 28, 2020

Wanted to update here–I couldn’t get any great reasoning from the logs, so I’m going to escalate this internally to the server team. My guess is something may just need to be changed in the configuration of the portal/app reg. Will report back with information when I have it, sorry for the delay.

0reactions

github-actions[bot]commented, Nov 1, 2020

This issue has been closed due to inactivity. If this has not been resolved please open a new issue. Thanks!

Top Results From Across the Web

Wrong version of access token (expect V2 , received V1)

The actual reason is that: Access Tokens versions are determined by the configuration of your application/API in the manifest. You have to ...

Azure AD refresh token is getting invalid frequently

This error is due to when refresh token can be expired due to either if the password changed for the user or the...

Understanding Azure Authorize/Token endpoints workflow ...

So I am going to use postman to perform API calls exposed by Azure to retrieve and authorize access_token and id_token. Postman configuration ......

Solved: OAuth Refresh token has expired after 90 days

But our tokens were used. Therefore the tokens should not expire! Why do we now have a live incident? What went wrong? Please...

Best practices for FCM registration token management

On this page · Basic best practices. Retrieve and store registration tokens; Detect invalid token responses from the FCM backend · Ensuring registration...