Azure B2C: KMSI feature does not work with custom policy

Question

Our SPA uses Azure B2C and MSAL (React) for user authentication. There are other requirements so we use custom policies instead of predefined user flows. But I struggle to implement Keep Me Signed In (KMSI) feature following these instructions .

1. I used custom policies from the starter pack : Phone_Email_Base.xml and SignUpOrSignInWithPhoneOrEmail.xml
2. Added <Item Key="setting.enableRememberMe">True</Item> entry to <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Phone-Email">
3. Updated relying party policy file with this:

<UserJourneyBehaviors>
  <SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
  <SessionExpiryType>Absolute</SessionExpiryType>
  <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
  <ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>

4. Set up MSAL instance in my index.tsx following this . Lib versions: "@azure/msal-browser": "^2.14.2", "@azure/msal-react": "^1.0.0"
5. Tried to obtain access token:

msalInstance
   .acquireTokenSilent(accessTokenRequest)
   .then((response) => {
      // use response.accessToken here
      ...
    })
   .catch((e) => {
      console.error(e);
      if (e instanceof InteractionRequiredAuthError) {
         instance.acquireTokenRedirect(accessTokenRequest);
      }
   });

The problem is MSAL cannot retrieve access token silently after 24 hours from user logged in (ie once refresh token is expired) and requires user to re-login.

To make sure that my application code is Ok, I tried to use predefined user flow (combined B2C_1_SignUpSignIn ) with KMSI feature enabled. And in this case, my application is able obtain access token silently after 24 hours. So KMSI works perfectly with user flow, but doesn't with custom policy.

Crawled through docs and examples for days, but still can't find any clues what else needs to be done here. Any help would be appreciated.

Answer 1

When acquireTokenSilent() fails, MSAL will call ssoSilent(). This will launch a hidden iframe to try to get a token using cookie based SSO.

When this fails, a final error will come back. You must catch this error and call acquireTokenRedirect(). Now if your session setup for your technical profiles is setup properly, and a valid session cookie exists, you'll get SSO.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-reference-sso

If you are actually seeing a prompt for user input, your session setup is not correct for that particular techical profile. This is the real reason why ssoSilent() failed.

Your problem is not KMSI. To prove it, remove KMSI config, sign in to your app, remove the MSAL objects from the LocalStorage, force a token renewal. You'll reproduce the issue you described, even without KMSI, and just after a few minutes of logging in.

Answer 2

Well, eventually it turned out that this solution actually works. Still not sure why it failed after the first 24 hours after the custom policy was applied. So I was forced to re-login after the first 24 hours but when the other 24 hours passed, my application was able to get a new access token without providing credentials by the user.