Reset Password Policy is using implicit flow by default, not authorisation code
See original GitHub issueI have an app with sign in/up and reset password, and I want it to use authorisation code flow. I do this by setting the response type to code
. Here is my configuration:
"AzureAdB2C": {
"Instance": "<instance>",
"ClientId": <myid>,
"ClientSecret": <secret>
"Domain": "<domain>",
"TenantId": <myid>
"CallbackPath": "/signin-oidc",
"ResponseType": "code",
"Scope" : ["openid", "profile", <applicationid>],
"SignUpSignInPolicyId" : "B2C_1_signupsignin1",
"ResetPasswordPolicyId" : "B2C_1_passwordreset"
},
The sign in flow is using authorisation code flow, however when I run the reset password flow, id_token is being added to the response type parameter (I am not sure what is adding it) and since my application does not allow implicit flow, I get the following error:
OpenIdConnectProtocolException: Message contains error: 'unauthorized_client', error_description: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
My Startup code
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftWebApp(options =>
{
Configuration.Bind("AzureAdB2C", options);
options.Events.OnRemoteFailure = context =>
{
context.HandleResponse();
if (context.Failure is OpenIdConnectProtocolException &&
context.Failure.Message.Contains("AADB2C90118"))
{
context.Response.Redirect("/resetPassword");
}
else
{
throw context.Failure;
}
return Task.FromResult(0);
};
}, cookieOptions => { cookieOptions.ExpireTimeSpan = sessionInfo.Duration; });
and the reset password endpoint
[HttpGet("/resetPassword")]
public IActionResult ResetPassword()
{
var properties = new AuthenticationProperties { RedirectUri = Url.Content("~/") };
properties.Items["policy"] = "B2C_1_passwordreset";
return Challenge(properties, OpenIdConnectDefaults.AuthenticationScheme);
}
Any ideas on what is happening?
Issue Analytics
- State:
- Created 3 years ago
- Comments:20
Top Results From Across the Web
B2C password reset fails for confidential client not ...
The problem is that the authorize call to the password reset policy includes id_token in ResponseType , whereas the signupsignin policy does not...
Read more >Is the OAuth 2.0 Implicit Flow Dead?
In this post, we'll look at what's changing in the Implicit Flow and why.
Read more >Authentication flow support in MSAL
The implicit grant flow allows an app to sign in the user, maintain a session, and get tokens for other web APIs from...
Read more >Microsoft identity platform and OAuth 2.0 authorization ...
Use the auth code flow paired with Proof Key for Code Exchange (PKCE) ... Default when requesting an ID token by using the...
Read more >Authentication Using Implicit Flow - TechDocs - Broadcom Inc.
Implicit Flow is used by clients that are browser-based, use a scripting language, and are Single-Page Applications (SPA). Authorization ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
It seems like implicit flow fails, unless you select both access token and id token. Could you try this?
This will give you a run now link with id_token in it (implicit flow). I will check if this is a bug on our side.
Thanks! It is
moneycorpcfxd.onmicrosoft.com