TechQA.

B2C authentication not returning access_token

5.1k views Asked by At

I am trying to implement Authorisation Code Flow with PKCE an angular project. I am using angular-auth-oidc-client. We already have an existing IdentityServer4 based in-house implementation that the the client works well against, but we are now trying to migrate our authentication to Azure AD B2C rather than having it in-house.

I have configured a Azure AD B2C and my client app. Here's the configuration: My app configuration

Here's my configuration on the client OIDC service:

oidcConfigService.withConfig({
    stsServer: 'https://login.microsoftonline.com/mycompany.onmicrosoft.com/v2.0',
    authWellknownEndpoint:
        'https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/B2C_1_SignUpSignIn/v2.0/.well-known/openid-configuration',
    redirectUrl: window.location.origin,
    postLogoutRedirectUri: window.location.origin,
    clientId: 'client-id-guid-goes-here',
    scope: 'openid profile offline_access',
    responseType: 'code',
    silentRenew: true,
    autoUserinfo: false,
    silentRenewUrl: window.location.origin + '/silent-renew.html',
    logLevel: LogLevel.Debug,
    renewTimeBeforeTokenExpiresInSeconds: 60
});

Problem: in the token response there is no access token: No access_token

Even though I've checked the accesss_token checkbox at client configuration. What am I missing here?

openid-connect azure-ad-b2c access-token pkce angular-auth-oidc-client
Original Q&A
4

There are 4 answers

1
Tore Nestenius On BEST ANSWER

The access token is not included because you are not requesting access to something.

You need to pass some addtional scope here:

scope: 'openid profile offline_access',
0
Mobiletainment On

It doesn't automatically return the AccessToken unless you explicitly request permission to one of your APIs.

This is an easy pitfall when you start using B2C.

To get an access_token you'll have to visit the Azure AD B2C portal and expose an API for your client app. This means:

  • add a custom scope for your API
  • add the scope as API permission for your app
  • adjust your login configuration on the client to use this scope

API Permissions

When trying out the Auth Code Flow with PKCE with my auth library (@azure/msal-browser@2.1) I figured that behind the scenes it always played nice with https://login.microsoftonline.com/common/ and I didn't have to put in any extra effort for the access token. Upon switching to our corporate's Azure Active Directory B2C, this behavior changed though and it didn't automatically return the access_token unless I explicitly requested permission to one of our APIs.

On the plus side though it's also worth mentioning that the Auth Code Flow with PKCE is working fine when using Azure AD B2C, although to my knowledge it is not battle-tested for production yet (see this GitHub issue).

0
Mark Foppen On

The above answers are correct but also make sure that you have granted consent in the App registration under API permission. The status column should show if this is the case. In my case the scope was set correct as mentioned in the other answer but the Access token was not returned.

azure_portal_granted_consent

0
Sameh On

According to Microsoft Docs: GetAccessToken

You need to add the App ID within the scope.

Instead of scope: 'openid profile offline_access', use: scope: 'openid profile offline_access APPID'

Example: scope: 'openid profile offline_access 64d188a5-f9a4-4b8e-9dcd-d9c9f48ea01f'

Related Questions in OPENID-CONNECT

Related Questions in AZURE-AD-B2C

Related Questions in ACCESS-TOKEN

Related Questions in PKCE

Related Questions in ANGULAR-AUTH-OIDC-CLIENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions