diff --git a/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs b/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs
index a48f5b7c1..fba3913cb 100644
--- a/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs
+++ b/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs
@@ -32,9 +32,17 @@ public Task OnRedirectToIdentityProvider(RedirectContext context)
!string.IsNullOrEmpty(userFlow) &&
!string.Equals(userFlow, defaultUserFlow, StringComparison.OrdinalIgnoreCase))
{
- context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;
context.ProtocolMessage.IssuerAddress = BuildIssuerAddress(context, defaultUserFlow, userFlow);
context.Properties.Items.Remove(OidcConstants.PolicyKey);
+
+ if (!Options.HasClientCredentials)
+ {
+ context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
+ }
+ else
+ {
+ context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;
+ }
}
return Task.CompletedTask;
diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
index 124b4c30e..0b11bfad0 100644
--- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
+++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
@@ -1105,6 +1105,12 @@
Is considered B2C if the attribute SignUpSignInPolicyId is defined.
+
+
+ Is considered to have client credentials if the attribute ClientCertificates
+ or ClientSecret is defined.
+
+
Description of the certificates used to prove the identity of the Web app or Web API.
diff --git a/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs b/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs
index 8ebe49227..5731c6fd1 100644
--- a/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs
+++ b/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs
@@ -2,6 +2,7 @@
// Licensed under the MIT License.
using System.Collections.Generic;
+using System.Linq;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
@@ -56,6 +57,15 @@ internal bool IsB2C
get => !string.IsNullOrWhiteSpace(DefaultUserFlow);
}
+ ///
+ /// Is considered to have client credentials if the attribute ClientCertificates
+ /// or ClientSecret is defined.
+ ///
+ internal bool HasClientCredentials
+ {
+ get => !string.IsNullOrWhiteSpace(ClientSecret) || (ClientCertificates != null && ClientCertificates.Any());
+ }
+
///
/// Description of the certificates used to prove the identity of the Web app or Web API.
/// For the moment only the first certificate is considered.
diff --git a/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs b/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
index e75fb3015..7fd77bafd 100644
--- a/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
+++ b/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
@@ -56,6 +56,7 @@ public static class TestConstants
public const string B2CInstance = "https://fabrikamb2c.b2clogin.com";
public const string B2CInstance2 = "https://catb2c.b2clogin.com";
public const string B2CCustomDomainInstance = "https://catsAreAmazing.com";
+ public const string ClientSecret = "catsarecool";
public const string B2CAuthority = B2CInstance + "/" + B2CTenant + "/" + B2CSignUpSignInUserFlow;
public const string B2CAuthorityWithV2 = B2CAuthority + "/v2.0";
diff --git a/tests/Microsoft.Identity.Web.Test/AzureADB2COpenIDConnectEventHandlersTests.cs b/tests/Microsoft.Identity.Web.Test/AzureADB2COpenIDConnectEventHandlersTests.cs
index 6745ee1a6..8927f0eac 100644
--- a/tests/Microsoft.Identity.Web.Test/AzureADB2COpenIDConnectEventHandlersTests.cs
+++ b/tests/Microsoft.Identity.Web.Test/AzureADB2COpenIDConnectEventHandlersTests.cs
@@ -26,10 +26,17 @@ public AzureADB2COpenIDConnectEventHandlersTests()
_authScheme = new AuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme, typeof(OpenIdConnectHandler));
}
- [Fact]
- public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext()
+ [Theory]
+ [InlineData(true)]
+ [InlineData(false)]
+ public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext(bool hasClientCredentials)
{
var options = new MicrosoftIdentityOptions() { SignUpSignInPolicyId = DefaultUserFlow };
+ if (hasClientCredentials)
+ {
+ options.ClientSecret = TestConstants.ClientSecret;
+ }
+
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
@@ -46,9 +53,16 @@ public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext()
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
Assert.Equal(TestConstants.Scopes, context.ProtocolMessage.Scope);
- Assert.Equal(OpenIdConnectResponseType.CodeIdToken, context.ProtocolMessage.ResponseType);
Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true);
Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
+ if (hasClientCredentials)
+ {
+ Assert.Equal(OpenIdConnectResponseType.CodeIdToken, context.ProtocolMessage.ResponseType);
+ }
+ else
+ {
+ Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType);
+ }
}
[Fact]