Azure AD B2C Refresh Token Revoked 403

Question

Good morning everyone,

I Have set up an App Service in Azure and added Authentication via Azure AD B2C. So far so good everything works fine. After 1 hour though, when the token expires, I try to refresh it but then I get an error back that the refresh token has been revoked. What goes wrong here ? I have set up the backend like explained in this post : and when logging in I pass the additional parameter like so :

user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });

This is my refresh code :

user = await Manager.CurrentClient.RefreshUserAsync();

This is the error I am getting

{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Refresh failed with a 403 Forbidden error. The refresh token was revoked or expired. ---> Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: You do not have permission to view this directory or page. at Microsoft.WindowsAzure.MobileServices.MobileServiceHttpClient+d__24.MoveNext () [0x001ec] in :0

Am I missing something here ? Thank you

EDIT : Here is a Screenshot of the Settings in the Portal

EDIT 2 : Here is an error form the server logs when trying to refresh the token :

EDIT 3 : And here the Application Log from the webserver for the given request :

2017-01-18T15:08:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:453a1ad2710466bc9873240e888d8b91', Issuer: ' https://api.near.lu/ '. 2017-01-18T15:08:33 PID[6344] Warning The refresh request issued by sid:453a1ad2710466bc9873240e888d8b91 (SID: ac22f7309036f0c07a54b1299b9601ef) failed because no refresh tokens were found in the token store. 2017-01-18T15:08:33 PID[6344] Information Sending response: 403.80 Forbidden 2017-01-18T15:08:34 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T15:08:34 PID[6344] Verbose Downloading OpenID configuration from https://login.microsoftonline.com/nearauth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Default 2017-01-18T15:08:36 PID[6344] Verbose Downloading OpenID issuer keys from https://login.microsoftonline.com/nearauth.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_default 2017-01-18T15:08:37 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=9e243549b62f49878cc370048c6effa9_20170118151334 2017- 01-18T15:08:39 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T15:08:39 PID[6344] Error An error of type 'unauthorized_client' occurred during the login process: 'AADB2C90057: The provided application is not configured to allow the OAuth Implicit flow. Correlation ID: 8336662f-8847-4f8b-bb37-6925a5d3e264 Timestamp: 2017-01-18 15:08:38Z ' 2017-01-18T15:08:39 PID[6344] Information Sending response: 401.73 Unauthorized

EDIT 4: This is the log of a successfull login :

2017-01-18T19:10:14 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T19:10:14 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514 2017-01-18T19:10:30 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30 PID[6344] Verbose JWT validation succeeded. Subject: '1eaf9f41-1562-4ac9-9538-b893c9123087', Issuer: ' https://login.microsoftonline.com/07407dc1-946a-4afc-9186-84e6023ba814/v2.0/ '. 2017-01-18T19:10:30 PID[6344] Verbose Calling into external HTTP endpoint POST https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/token . 2017-01-18T19:10:32 PID[6344] Information Login completed for 'aget'. Provider: 'aad'. 2017-01-18T19:10:32 PID[6344] Verbose Writing 'AppServiceAuthSession' cookie for site 'api.near.lu'. Length: 792. 2017-01-18T19:10:32 PID[6344] Information Redirecting: https://api.near.lu/.auth/login/done#token=%7B%22authenticationToken%22%3A%22ey--REMOVED PART OF THE TOKEN--%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aed01ed7507f147976aa1704783267861%22%7D%7D 2017-01-18T19:10:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/done 2017-01-18T19:10:33 PID[6344] Information Sending response: 200.0 OK

This is the error log i get when I try to refresh immediatley after logging in :

2017-01-23T10:55:06 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:ed01ed7507f147976aa1704783267861', Issuer: ' https://api.near.lu/ '. 2017-01-23T10:55:06 PID[6344] Warning The refresh request issued by sid:ed01ed7507f147976aa1704783267861 (SID: 9a6c2ee324a092937c5e2f953803e662) failed because no refresh tokens were found in the token store. 2017-01-23T10:55:06 PID[6344] Information Sending response: 403.80 Forbidden

Which is weird, as it can be seen in the above picture the token store is enabled...

Answer 1

The problem could be that your current App Service Authentication / Authorization setup is not configured to support token refresh. A simple way to confirm this would be to enable Application Logging and look at the warning messages in the application log stream when a refresh operation fails. More details on application logging can be found here: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log

See the following blog post (which I wrote) to learn more about how to update your Authentication / Authorization settings to support token refresh: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh . The short version is that you need to:

1. create an app key in your B2C app registration and set that as the client secret in your Authentication / Authorization "Advanced" settings for AAD in the portal.
2. Request the offline_access scope when logging in. This ensures you get a refresh token from AAD B2C when the user logs in.

Your login code should look like the following:

user = await Manager.CurrentClient.LoginAsync(
    currentContext,
    MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
    new Dictionary<string, string>() { { "scope", "openid offline_access" } });

Answer 2

To use the refresh user, we have to store the refresh token to the app service token store.

You can check whether there are refresh token via using the request below:

Get:https://{yourMoibleAppName}.azurewebsites.net/.auth/me
X-ZUMO-AUTH: {accessToken}

The access token you can get from user.MobileServiceAuthenticationToken .

If there is no refresh token returned, you can check whether following requirements are satisfied:

1. the token store is enable

2. the response_type of request contains code

3. Developers doesn't revoke the access_token, refresh_token, user permission

And all settings well, however the the app still get the 403 error, we should prompt user to login again(refer to Refreshing user logins in App Service Mobile Apps ).

And to avoid misunderstanding, when you specify you were using Azure AD B2C tenant, would you mind sharing the detail steps you protected the mobile service?

Update( able to reproduce this issuing using the b2c app which register this way )