Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Error when attempting to use PCKE #589

Closed
1 of 8 tasks
calbert82uhah opened this issue Sep 17, 2020 · 5 comments
Closed
1 of 8 tasks

[Bug] Error when attempting to use PCKE #589

calbert82uhah opened this issue Sep 17, 2020 · 5 comments
Assignees
@jmprieur
Labels
duplicate This issue or pull request already exists enhancement New feature or request fixed
Milestone
GA version

Comments

@calbert82uhah
Copy link

calbert82uhah commented Sep 17, 2020
edited
Loading

Which version of Microsoft Identity Web are you using?
0.4.0-preview

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

        services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi()
            .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
            .AddInMemoryTokenCaches();


        services.Configure<MicrosoftIdentityOptions>(options =>
        {
            options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
            options.UsePkce = true;
            options.ResponseType = OpenIdConnectResponseType.Code;
        });

        services.AddMvc();

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });

Expected behavior
I try to upgrade from Microsoft.AspNetCore.Authentication.AzureAd.UI to Microsoft.Identity.Web.
I reuse the app registration, which works fine with an Authorization Code Flow.
I expect that the app successfully logs in the user using Auth Code Flow.

Actual behavior
When trying to log in, I get the following error:

OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.

I don't really understand the error message. Is it trying to perform an implicit flow?

With the older package, the initial redirect to https://login.microsoftonline.com contains the query &response_type=code; with Microsoft.Identity.Web it contains response_type=code%20id_token; why is it doing that?
@jmprieur jmprieur added answered duplicate This issue or pull request already exists question Further information is requested labels Sep 17, 2020
@jmprieur
Copy link
Collaborator

@calbert82uhah : MSAL.NET does not support PKCE in confidential client applications yet (as CCA already share a secret with Azure AD, the AuthCode flow in confidential client is already very secure).
We have a feature request, though, to have Microsoft.Identity.Web and MSAL.NET support it in the future:#470

ASP.NET core does not try to do an implicit flow (we don't request you to check the Implicit Access token in the portal). The ID Token is required by MSAL.NET for the token cache

@jmprieur jmprieur changed the title [Bug] [Bug] Error when attempting to use PCKE Sep 17, 2020
@jmprieur jmprieur mentioned this issue Sep 17, 2020
Merged
@jmprieur
Copy link
Collaborator

@calbert82uhah we've prepared a branch which we think solves this issue:
https://github.com/AzureAD/microsoft-identity-web/tree/jmprieur/investigationNoIdToken

Could you please test it?

@calbert82uhah
Copy link
Author

@jmprieur Yes, with this branch the response_type has changed to code, and I can log in a user!

@jmprieur
Copy link
Collaborator

Thanks for confirming @calbert82uhah

@jmprieur jmprieur modified the milestones: 0.4.1-preview, GA version Sep 18, 2020
@jmprieur jmprieur added enhancement New feature or request fixed and removed answered question Further information is requested labels Sep 18, 2020
@jmprieur
Copy link
Collaborator

@calbert82uhah, the fix is available in Microsoft.Identity.Web 1.0.0

@jmprieur jmprieur self-assigned this Sep 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmprieur jmprieur

Labels
duplicate This issue or pull request already exists enhancement New feature or request fixed
Projects
None yet
Milestone
GA version
Development

No branches or pull requests
2 participants
@jmprieur @calbert82uhah