Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Error when attempting to use PCKE

See original GitHub issue

Which version of Microsoft Identity Web are you using? 0.4.0-preview

Where is the issue?

Web app
- Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
Other (please describe)

Is this a new or an existing app? a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

        services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi()
            .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
            .AddInMemoryTokenCaches();


        services.Configure<MicrosoftIdentityOptions>(options =>
        {
            options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
            options.UsePkce = true;
            options.ResponseType = OpenIdConnectResponseType.Code;
        });

        services.AddMvc();

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });

Expected behavior I try to upgrade from Microsoft.AspNetCore.Authentication.AzureAd.UI to Microsoft.Identity.Web. I reuse the app registration, which works fine with an Authorization Code Flow. I expect that the app successfully logs in the user using Auth Code Flow.

Actual behavior When trying to log in, I get the following error:

OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.

I don’t really understand the error message. Is it trying to perform an implicit flow?

With the older package, the initial redirect to https://login.microsoftonline.com contains the query &response_type=code; with Microsoft.Identity.Web it contains response_type=code%20id_token; why is it doing that?

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

jmprieurcommented, Sep 30, 2020

@calbert82uhah, the fix is available in Microsoft.Identity.Web 1.0.0

1reaction

calbert82uhahcommented, Sep 18, 2020

@jmprieur Yes, with this branch the response_type has changed to code, and I can log in a user!

Top Results From Across the Web

PKCE verification failed - Using 'code' after login

I've been getting the 'PKCE verification failed' error every time I try and get a 'refresh token' from the /token endpoint.

pkce_not_created: The PKCE code challenge and verifier ...

I use masl[@azure/msal-browser] to achieve user login, it can be successful when I use localhost to access, , but the following error occurs ......

Authorization-code-grant-pkce access_denied error

The “Unauthorized” error here is most likely caused by the Token Endpoint Authentication Method setting on the app being set to something other ......

Solved: Invalid request - Invalid PKCE code_challenge_veri...

Hi,. I am trying to get a token using OAuth2 from a web app. I am able to do it using the /authorize...

Spotify PKCE Authorization using AppAuth fails with " ...

1 Answer. So I was sort of facing a similar issue with the pkce flow. I had everything working and then the next...