stackoom
  简体   繁体   中英

B2C authentication not returning access_token

 原文  2020-08-28 06:05:50       openid-connect/ azure-ad-b2c/ access-token/ pkce/ angular-auth-oidc-client

Question

I am trying to implement Authorisation Code Flow with PKCE an angular project. I am using angular-auth-oidc-client. We already have an existing IdentityServer4 based in-house implementation that the the client works well against, but we are now trying to migrate our authentication to Azure AD B2C rather than having it in-house.

I have configured a Azure AD B2C and my client app. Here's the configuration: 我的应用配置

Here's my configuration on the client OIDC service:

oidcConfigService.withConfig({
    stsServer: 'https://login.microsoftonline.com/mycompany.onmicrosoft.com/v2.0',
    authWellknownEndpoint:
        'https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/B2C_1_SignUpSignIn/v2.0/.well-known/openid-configuration',
    redirectUrl: window.location.origin,
    postLogoutRedirectUri: window.location.origin,
    clientId: 'client-id-guid-goes-here',
    scope: 'openid profile offline_access',
    responseType: 'code',
    silentRenew: true,
    autoUserinfo: false,
    silentRenewUrl: window.location.origin + '/silent-renew.html',
    logLevel: LogLevel.Debug,
    renewTimeBeforeTokenExpiresInSeconds: 60
});

Problem: in the token response there is no access token: 没有 access_token

Even though I've checked the accesss_token checkbox at client configuration. What am I missing here?

3 answers

solution1
 1  2020-10-02 22:04:36

It doesn't automatically return the AccessToken unless you explicitly request permission to one of your APIs.

This is an easy pitfall when you start using B2C.

To get an access_token you'll have to visit the Azure AD B2C portal and expose an API for your client app. This means:

  • add a custom scope for your API
  • add the scope as API permission for your app
  • adjust your login configuration on the client to use this scope

API权限

When trying out the Auth Code Flow with PKCE with my auth library ( @azure/msal-browser @2.1) I figured that behind the scenes it always played nice with https://login.microsoftonline.com/common/ and I didn't have to put in any extra effort for the access token. Upon switching to our corporate's Azure Active Directory B2C, this behavior changed though and it didn't automatically return the access_token unless I explicitly requested permission to one of our APIs.

On the plus side though it's also worth mentioning that the Auth Code Flow with PKCE is working fine when using Azure AD B2C, although to my knowledge it is not battle-tested for production yet ( see this GitHub issue ).

solution2
 0 ACCPTED  2020-08-28 07:04:10

The access token is not included because you are not requesting access to something.

You need to pass some addtional scope here:

scope: 'openid profile offline_access',

solution3
 0  2021-04-10 06:11:19

According to Microsoft Docs: GetAccessToken

You need to add the App ID within the scope .

Instead of scope: 'openid profile offline_access', use: scope: 'openid profile offline_access APPID '

Example: scope: 'openid profile offline_access 64d188a5-f9a4-4b8e-9dcd-d9c9f48ea01f '

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is the access_token lifetime for a B2C custom policy used by a SPA application? JWT Token nested in the "idp_access_token" Claim of the B2C token Why does Azure B2C return idp_access_token which is not a jwt? Custom Access Token Lifetime for set of users in Azure AD B2C Azure AD B2C OpenID Connect Refresh token Missing phone number claim in B2C ID token Azure AD B2C incorrect "permissions" to retrieve token Azure AD B2C Not Returning Refresh Tokens Is it possible to force the disabling of access tokens in Azure AD B2c? Getting Refresh Token in Azure B2C, with Azure AD App being the third party IDP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM