TokenCache doesn't work with B2C authorities after migrating to MSAL 2.0.0-preview #604
Comments
|
As far as I know, the migration path is from ADAL 3.* to MSAL 2 or from ADAL 4.* to MSAL 2, not from MSAL 1.* to MSAL 2. @jmprieur to confirm |
|
Yes, the MSAL 1.x cache is not compatible (this was not a promise: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet#important-note-about-the-msal-preview). The ADAL 3.x and ADAL.4x caches are compatible with MSAL .2.x with a bit of work (See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/msal-net-2-released#you-can-enable-sso-between-adalnet-3x-applications-adalnet-4x-applications-and-msal-on-the-same-platform) But here @daniel-np do I understand correctly that even after you signed-in users, the cache is empty ? |
|
Also @daniel-np : do you have a sample where we could repro the issue? |
|
@jmprieur: how can i see that the cache is empty? I'm using the Azure B2C service and MSAL on my client. So I don't think I use ADAL at all. |
|
@daniel-np : I realize you are using MSAL and not ADAL (was giving you the information about the cache migration, but indeed, for B2C, this is not relevant) Since; from what I understand, you can customize which claims need to appear in the B2C token, I suspect that the token received by B2C is missing claims that the token cache is looking for. Adding @henrik-me @SomkaPe @jennyf19 who might know a bit more. Can you please tell me about which claims are in your token? (for instance by copying the access token to https://jwt.ms) |
|
I'm currently preparing a sample application. Is it possible for you to use your own azure b2c credentials or do I need to share my credentials with you? The AccessToken looks like this (personal data replaced with '') EDITS:
|
|
@jmprieur @daniel-np : You will likely benefit from looking at the log. There are 2 claims required to be able to cache, those are unfortunately not part of the default B2C setup. @parakhj was on point to help ensure this happened. The log will tell you which two claims needs to be there. |
|
@daniel-np : I was able to repro it. (in other B2C tenants as well)
Also the claims included in the idToken are different than the claims included in the AAD idToken, and I believe some of them are needed for indexing the cache We are working on a solution, meanwhile, I'll advise that you to keep using MSAL 1.1.4 -preview.. We'll update you with this GitHub issue. Thanks again for reporting and sharing your repros. |
jmprieur
changed the title
|
@daniel-np : we are working with the B2C team to get this addressed. the workaround for now is to setup the claim mapping. @trwalke will keep this thread updated on our progress. |
|
Added it to the MSALNET 2.0.0-preview known issues. The explanation and the work around are available in https://aka.ms/msal-net-token-cache-index-keys This was also raised as a sample issue in active-directory-xamarin-native-v2 issue #38 |
|
We have implemented a fix for this issue and we are planning to release within the next week or so |
|
@trwalke That would be perfect! Could you please update the sample code-s as well. It would help a lot. |
|
@TuroczyX Will do. in the meantime, we have released a hotfix for this https://www.nuget.org/packages/Microsoft.Identity.Client/2.0.1-preview |
I made to following steps for migration from v1.1.4 to 2.0.0:
App.Services.UiParent = new UIParent(this, true);IUsertoIAccountAuthenticationResult = await PCA.AcquireTokenSilentAsync( Scopes, GetUserByPolicy(PCA.Users, PolicySignUpSignIn), Authority, false);to
var accounts = await PCA.GetAccountsAsync();AuthenticationResult = await PCA.AcquireTokenSilentAsync(scopes, accounts.FirstOrDefault());AuthenticationResult = await PCA.AcquireTokenAsync( Scopes, GetUserByPolicy(PCA.Users, PolicySignUpSignIn), App.Services.UiParent);to
AuthenticationResult = await PCA.AcquireTokenAsync(scopes, App.Services.UiParent);The TokenCache is not given in my PCA constructor:
PCA = new PublicClientApplication(ClientId, Authority) { RedirectUri = $"msal{ClientId}://auth" };Used Plattform and libraries:
I tried Android (6.0) and UWP, both need an explicit login action to get an
AuthenticationResult.PCA.GetAccountAsync()always returns an empty list, so in my view it seems to be an error with the TokenCache.Do I need to delete the old v1.x-Cache in some way? Can you reproduce the error?
The text was updated successfully, but these errors were encountered: