Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HC 12.16 #/oauth includes fragment which is not an allowable redirect uri for Azure AD B2C

See original GitHub issue

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

The effect: the access token is not able to be fetched from BCP because the redirect uri is not in the allowable list of uris as configured by Azure AD B2C.

We are using Azure AD B2C and it does not allow having the # symbol in the allowed redirect uris, specifically when the signinaudience is AzureADandPersonalMicrosoftAccount for the oauth2 implicit flow.

And if we can’t put the #/oauth uri in the allowed redirect uri list, Azure AD will not allow BCP to receive the token.

Image of the Azure AD B2C error

Affects HC 12.16, but not 12.15.* due to new major version of BCP.

Steps to reproduce

Boot up a C# project running 12.16 of HotChocolate.
Navigate to the graphql endpoint and try to authenticate by clicking the gear icon.
Under authentication, select OAuth2 -> Implicit.
Note that the Redirect URL is hardcoded and not allowed to be changed.

Using Azure AD B2C App Registration, the redirect uri cannot contain a fragment uri if the signinaudience value is AzureADandPersonalMicrosoftAccount. If it is AzureADMyOrg, then the fragment uri is acceptable.

Allowed settings for signinaudience: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount

Relevant log output

No response

Additional Context?

As per discussion in #announcements on Jan 6, 2023.

Product

Hot Chocolate

Version

12.16.*

Issue Analytics

State:
Created 8 months ago
Comments:9 (7 by maintainers)

Top GitHub Comments

1reaction

bartdebevercommented, Apr 12, 2023

Is there any update on this issue? I assume not everything went well and the release is delayed but not being able to work with BCP when using Azure AD is a shame, the OAuth integration was great and sets BCP apart from other Playgrounds.

1reaction

PascalSenncommented, Mar 17, 2023

@onionhammer See this

What we used to do is open BCP at localhost/graphql/, and the redirect url used to just be localhost/graphql/, which worked just fine with B2C, then at version 12.16+, BCP’s expected redirect url was changed to localhost/graphql/#/oauth and that broke things.

surpises me. This must be a special case for the local host origin. After using window.open , the reference to window.href should no longer be accessible.

Was hoping that the desktop version didnt have this issue, but it looks like there’s no redirect path at all? is there a workaround for this other than using postman?

The redirect URL is not specified in the desktop app because there we have more options. In other words, you can pick any redirect URL and it will work.

We are currently testing a fix for the web version. If everything goes well, it will be available in the next BCP version next week.