EditProfile Throw error for Azure AD B2C solution "1-WebApp-OIDC/1-5-B2C"

[manoj1201]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API 4-WebApp-your-API
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

Create User flow and configured Sign In and Edit Profile flow with below user attribute

1. Display Name - Out of the box
2. PhoneNumber - Custom create property type string.
3. Country/Region -Out of the box.
4. Downloaded this solution "https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C" and configured as per documentation.
5. Sign In working fine at localhost as well as deployed Web App.
6. After Sign In, When i click Edit Profile, It Prompt proper screen and take the input, as soon as i save it re-direct to error page.

Error Page Url : https://localhost:44316/MicrosoftIdentity/Account/Error
An error occurred while processing your request.
Request ID: |b8a8d858-48bf2c5956a60f9e.

Expected behavior
Edit Profile, When i use User flow run option, It working fine as i used https://jwt.ms as redirect url -> which return me valid token and details. Looks like issue with uploaded solution.

Actual behavior

Possible Solution

Additional context/ Error codes / Screenshots

Any log messages given by the failure

Add any other context about the problem here, such as logs.

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Desktop Operating System: Windows 10

Versions

of ASP.NET Core, of MSAL.NET

I am using ASP.NEt Core 3.1

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue?
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[manoj1201]

Added Operating system version and .NetCore Version details

[pmaytak]

Hi @manoj1201. Could you provide a detailed error message? ASPNETCORE_ENVIRONMENT should be set to Development in launchSettings.json or just remove this and just use app.UseDeveloperExceptionPage(); all the time.

Also are all the policies specified in config match what's in AAD?

[manoj1201]

@pmaytak , Thanks for info.

I am using Userflow:
B2C_1_SignUpIn for Sign In or Sign Up -> Working fine.
B2C_1_ProfileEdit -> When i run using run flow button via portal with https://jwt.ms as redirect url. it works fine. I followed again all steps and documentation https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C .
Invalid grant error looks strange.

Getting below error at local host:-

fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[52]
Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SignUpIn and Expected Value : B2C_1_ProfileEdit
Correlation ID: dc2e2832-98f1-4f26-93b5-4a57eb113f1f
Timestamp: 2020-08-27 05:44:02Z
', error_uri: 'error_uri is null', status code '400'.
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]
Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SignUpIn and Expected Value : B2C_1_ProfileEdit
Correlation ID: dc2e2832-98f1-4f26-93b5-4a57eb113f1f
Timestamp: 2020-08-27 05:44:02Z
', error_uri: 'error_uri is null'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

[pmaytak]

@manoj1201 Can you verify which version of Microsoft identity Web package you're using? Try 0.3.0-preview (it's is the latest) if you're not already.

@jennyf19 I thought we had a similar issue like this and it was fixed? (Maybe it was 467?) I think the problem was that user flow parameter passed in to GetAccessTokenForUserAsync is null so it uses the default one.

[jmprieur]

I could confirm that this reproes in a B2C Web app that sign-ins users (1-WebApp-OIDC/1-5-B2C), but not in a B2C web app that signs-in users and calls a Web API (our test app works well).

Analysis

What happens, is that in AzureADB2COpenIDConnectEventHandlers.OnRedirectToIdentityProvider we request an IdTokenCode even in the OIDC case (when the app does not call a Web API)

       context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;

https://github.com/AzureAD/microsoft-identity-web/blob/e83d7bb8efb6909ac31d69b0de50d7d2ff8bd4c5/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs#L35

When the code is received, Microsoft.Identity.Web does not try to redeem it (because Startup.cs does not contain EnableTokenAcquisitionToCallDownstreamApi), but ASP.NET Core tries to redeem it, and it fails as it's not as clever as Microsoft.Identity.Web to understand the context.

Suggestion to fix it

In:

https://github.com/AzureAD/microsoft-identity-web/blob/e83d7bb8efb6909ac31d69b0de50d7d2ff8bd4c5/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs#L35

I suggest we request CodeIdToken only if there is either a non null options.ClientSecret or options.ClientCertificates is not null and not empty, otherwise, just request IdToken. This will distinguish the case sign-in-users-and calls-web-api (where we want a code), and the case sign-in-users only (where we don't want the code)

BTW, @jennyf19, this should also fix [Bug]Template IndividualAuth B2C Password reset uses default policy #467

[jmprieur]

@manoj1201 thanks for raising this issue. We'll fix it ASAP (in Microsoft.Identity.Web)
Meanwhile there is a work around which is call .AddMicrosoftWebAppCallsWebApi(Configuration, "AzureAdB2C") after .AddMicrosoftWebApp

(or if you are using 0.3.0-preview, .AddMicrosoftWebAppCallsWebApi(Configuration, "AzureAdB2C") after .AddMicrosoftWebApp

            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                    .AddMicrosoftIdentityWebApp(Configuration, "AzureAdB2C")
                        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes: new string[] { Configuration["TodoList:TodoListScope"] })
                        .AddInMemoryTokenCaches();

[manoj1201]

Hello @pmaytak

As suggested, I changed the nuget package "Microsoft.Identity.Web.UI" & "Microsoft.Identity.Web" with 0.3.0-preview.

It asked to change the obsolete function in stratup.cs file. I changed below line services.AddMicrosoftWebAppAuthentication(Configuration, "AzureAdB2C")
with services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");

When the ran the solution and getting same issue, Below is error for your reference
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[52]
Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SignUpIn and Expected Value : B2C_1_ProfileEdit
Correlation ID: dca50c3f-154c-4508-b7ea-7901d9cda75f
Timestamp: 2020-08-27 11:45:12Z
', error_uri: 'error_uri is null', status code '400'.
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]
Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SignUpIn and Expected Value : B2C_1_ProfileEdit
Correlation ID: dca50c3f-154c-4508-b7ea-7901d9cda75f
Timestamp: 2020-08-27 11:45:12Z
', error_uri: 'error_uri is null'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Hello @jmprieur
As you mentioned, your suggestion hold good for WebAPP with WebAPI, But i am using WebAPP only,

[jmprieur]

@manoj1201, it's a work around. We are going to fix this ASAP.

Meanwhile, if you don't want to use that work around, you could try the following work around, which should work.

           services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                    .AddMicrosoftIdentityWebApp(Configuration, "AzureAdB2C");

            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                var previousOptions = options.Events.OnRedirectToIdentityProvider;
                options.Events.OnRedirectToIdentityProvider = async context =>
                {
                    await previousOptions(context);
                    context.ProtocolMessage.ResponseType = Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectResponseType.IdToken;
                };
            });

[manoj1201]

Thanks @jmprieur for your quick prompt. Its really appreciable.
As suggested, I added above shared code snippet with Configure Service function in Startup.cs file. Its works like charm.

Modified Function
public void ConfigureServices(IServiceCollection services)
{
services.Configure(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.HandleSameSiteCookieCompatibility();
});

        services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
        services.AddControllersWithViews().AddMicrosoftIdentityUI();
        services.AddRazorPages();

        //Configuring appsettings section AzureAdB2C, into IOptions
        services.AddOptions();
        services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            var previousOptions = options.Events.OnRedirectToIdentityProvider;
            options.Events.OnRedirectToIdentityProvider = async context =>
            {
                await previousOptions(context);
                context.ProtocolMessage.ResponseType = Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectResponseType.IdToken;
            };
        });
    }

Looking for permanent fix for this issue.

[jennyf19]

@manoj1201 the fix has been merged into master. we'll let you know when we can get out a release. thanks for letting us know about the issue so quickly.

[jennyf19]

included in 0.3.1-preview release. thanks again @manoj1201