[Bug] [B2C] Azure AD B2C returns a 400 invalid_grant, The provided JWE is not a valid 5 segment token

[samguisson]

Version
4.28.1

Platform
.NET Framework 4.7.2

Error
Info (False) MSAL 4.28.1.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [03/30/2021 08:12:46 - ] Response status code does not indicate success: 400 (BadRequest).
Warning (False) MSAL 4.28.1.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [03/30/2021 08:12:46 - ] Request retry failed.
Info (False) MSAL 4.28.1.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [03/30/2021 08:12:46 - ] HttpStatusCode: 400: BadRequest
Error (False) MSAL 4.28.1.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [03/30/2021 08:12:46 - ] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: invalid_grant
HTTP StatusCode 400

What authentication flow has the issue?

• Desktop
  Device code flow (browserless)

Repro

• Use Azure AD as a custom identity provider for the B2C AD
• The custom identity provider has a https://xxxx.onmicrosoft.com/xxxx/user_impersonation scope
• Register App As Mobile and desktop applications
• Create UserFlow SignUp SignIn with Application claim Identity Provider Access Token (select the identity provider)

Expected behavior
Should return Token with a claim that contains the token of the connected idenity provider

Actual behavior
Azure AD B2C throws a 400 Bad Request

Additional Info
We currently have 2 angular applications that succefully implement this flow without any issue.
Our WPF desktop app is the one giving the problems and we do need the Identity provider access token.
If I don't ask for this claim it works but not asking for this claim is not an option.

[samguisson]

Upon investigation it seems when calling https://xxxxx.b2clogin.com/tfp/xxxxx.onmicrosoft.com/b2c_1_test2/oauth2/v2.0/token
The code it uses is incomplete. Somehow a part of it is missing. Maybe it's a parsing issue when you ask for Idenity provider access token.

I tried manually posting with postman to this url with the complete code. Then I do succesfully get my token with the idp_access_token

[bgavrilMS]

@jmprieur @jennyf19 - could we ask our CXP friends for help with this? It seems to me that the setup is fairly complex.

[jmprieur]

@bgavrilMS: to add JWE, we can just follow https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Decryption
A good candidate would be the following application: https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Credentials/appId/85a95696-526e-4769-8c1e-f4cbb1c23b00/isMSAApp/

• Tenant ID: 775527ff-9a37-4307-8b3d-cc311f58d925
• App ID: 775527ff-9a37-4307-8b3d-cc311f58d925

[jennyf19]

@samguisson we have a team with a similar issue that went through support and opened an ICM, are you from that team?

[samguisson]

@jennyf19 Yes, thats possible. There should be a link somewhere to this issue page in the mail.

[jennyf19]

@samguisson thanks for confirming. I believe the B2C CxP team is working with your team now. I'll mark this as external for now, and we'll engage if we are needed. Thank you.

[pmaytak]

Hi @samguisson
Please see my investigation in #2743 (comment)
Could you try some of these workarounds?

• Use default system browser instead of the embedded ones System browser wiki
• Use WebView2 embedded browser WebView2 wiki
  • WebView2 works better on .NET Core, so it would be better if you can upgrade.
  • Otherwise, if you run into WebView2 related issue in Net Fx, there's a workaround in [Bug] [S] WebView2Loader.dll is missing in net472 app #2482 (comment)