Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Reset Password Policy is using implicit flow by default, not authorisation code

See original GitHub issue

I have an app with sign in/up and reset password, and I want it to use authorisation code flow. I do this by setting the response type to code. Here is my configuration:

"AzureAdB2C": {
    "Instance": "<instance>",
    "ClientId": <myid>,
    "ClientSecret": <secret>
    "Domain": "<domain>",
    "TenantId": <myid>
    "CallbackPath": "/signin-oidc",
    "ResponseType": "code",
    "Scope" : ["openid", "profile", <applicationid>],
    "SignUpSignInPolicyId" : "B2C_1_signupsignin1",
    "ResetPasswordPolicyId" : "B2C_1_passwordreset"
  },

The sign in flow is using authorisation code flow, however when I run the reset password flow, id_token is being added to the response type parameter (I am not sure what is adding it) and since my application does not allow implicit flow, I get the following error:

OpenIdConnectProtocolException: Message contains error: 'unauthorized_client', error_description: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.

My Startup code

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftWebApp(options =>
                {
                    Configuration.Bind("AzureAdB2C", options);
                    options.Events.OnRemoteFailure = context =>
                    {
                        context.HandleResponse();
                        if (context.Failure is OpenIdConnectProtocolException &&
                            context.Failure.Message.Contains("AADB2C90118"))
                        {
                            context.Response.Redirect("/resetPassword");
                        }
                        else
                        {
                            throw context.Failure;
                        }

                        return Task.FromResult(0);
                    };
                }, cookieOptions => { cookieOptions.ExpireTimeSpan = sessionInfo.Duration; });

and the reset password endpoint

[HttpGet("/resetPassword")]
        public IActionResult ResetPassword()
        {
            var properties = new AuthenticationProperties { RedirectUri = Url.Content("~/") };
            properties.Items["policy"] = "B2C_1_passwordreset";
            return Challenge(properties, OpenIdConnectDefaults.AuthenticationScheme);
        }

Any ideas on what is happening?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:20

github_iconTop GitHub Comments

1reaction
ktsakascommented, Sep 3, 2020

It seems like implicit flow fails, unless you select both access token and id token. Could you try this?

Annotation 2020-09-03 102549

This will give you a run now link with id_token in it (implicit flow). I will check if this is a bug on our side.

1reaction
AshTappincommented, Sep 2, 2020

Thanks! It is moneycorpcfxd.onmicrosoft.com

Read more comments on GitHub >

github_iconTop Results From Across the Web

B2C password reset fails for confidential client not ...
The problem is that the authorize call to the password reset policy includes id_token in ResponseType , whereas the signupsignin policy does not...
Read more >
Is the OAuth 2.0 Implicit Flow Dead?
In this post, we'll look at what's changing in the Implicit Flow and why.
Read more >
Authentication flow support in MSAL
The implicit grant flow allows an app to sign in the user, maintain a session, and get tokens for other web APIs from...
Read more >
Microsoft identity platform and OAuth 2.0 authorization ...
Use the auth code flow paired with Proof Key for Code Exchange (PKCE) ... Default when requesting an ID token by using the...
Read more >
Authentication Using Implicit Flow - TechDocs - Broadcom Inc.
Implicit Flow is used by clients that are browser-based, use a scripting language, and are Single-Page Applications (SPA). Authorization ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Workaround with Configuration Section AzureAD

Next page

[Bug] TokenAcquisitionalways fails with MicrosoftIdentityWebChallengeUserException when called from a DelegatingHandler, but only on an Azure Web App.