-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some questions about using msal@2.x with SPA and B2C - acquireTokenSilent cache and refresh_token #1932
Comments
@Ikaer Thanks for bringing this to our attention. We will look into it and follow up. |
@PraveenVerma17 same problem for me if I remove offline_acces. without offline_access on login: But even with that, the cache issue prevents msal to send the refresh_token to token endpoint. I maybe wrong, but I think msal@2.x which uses the authentication code flow by default need this refresh_token |
@Ikaer To answer your questions:
The fix mentioned above will be available in the upcoming GA release of the library. Once that has been released please give it a try and open a new issue if you are still seeing problems. |
@tnorling thanks for your answers and PRs.
Should I add Can you confirm me that the normal flow should be:
|
@Ikaer You can actually directly request your API scopes in the login call. Unfortunately I don't believe, request = {
scopes: ["https://xx.onmicrosoft.com/xx/read", "https://xx.onmicrosoft.com/xx/write"],
extraScopesToConsent: ["offline_access"]
} Apologies for the inconvenience while we work through the kinks in the new library. Let me know if this workaround doesn't solve your problem and I'll take a closer look. |
@Ikaer Following up as my previous suggestion to use |
@tnorling thanks for your advices and explanations, I will try that. |
Please follow the issue template below. Failure to do so will result in a delay in answering your question.
Library
msal@1.x.x
or@azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angularjs@1.x.x
Description
Please provide your question here, including as much relevant details as possible.
Hi,
I'm trying to use msal-browser@2.0.0 in spa mode (one asp.net app, one asp.net web api and an AD B2C in the middle for auth).
I've managed to get things working, sort of, but there is always something that is not completely ok.
For example, msal always call b2c when I'm using acquireTokenSilent even if I have an access token in cache. For what I've picked in other treads it can happened if I ask multiple resource.
So I've checked what kind of resources are asked,
when I'm calling initially loginRedirect, i'm asking for following scopes:
![image](https://user-images.githubusercontent.com/7936075/87227329-94f9cc00-c39a-11ea-837e-23713770dff8.png)
![image](https://user-images.githubusercontent.com/7936075/87227384-e609c000-c39a-11ea-8c59-499cb4f56852.png)
Then on first call to acquireTokenSilent before making an API call, I asked those one:
![image](https://user-images.githubusercontent.com/7936075/87227377-cecad280-c39a-11ea-9094-a17f7b40d292.png)
![image](https://user-images.githubusercontent.com/7936075/87227381-d8543a80-c39a-11ea-8fea-6a354545c1e1.png)
I didn't asked for openid and profile in my configuration, after checking msal code, those extra scope openid and profile are added automatically by the framework. Maybe its normal.
If I check my sessionStorage, I have the following values for the access token:
So is it why the cache does not kick in ? scopes are different from the one asked ? if it is the case, how can I prevent msal to add those extra scopes ?
Second problem: when this second call is made with the refresh token provided by the first one, the response does not contains a new refresh token because 'offline_access' has not been precised in scopes. So a the cache stores the following key:
There is no secret in it,
so the third call (before calling my API) will try to call the token endpoint with refresh_token:undefined, and returns an error AADB2C90090 The provided JWE is not a valid 5 segment token
Then msal makes a fourth call asking for a new authorization_code and the circle is complete:
![image](https://user-images.githubusercontent.com/7936075/87228593-90d1ac80-c3a2-11ea-939e-bbdf4efc0b72.png)
Each time I'm trying to call the API, I have one fail call to B2C because of the refresh_token undefined and a good one to get a new authorization code.
At the end of the day, it's working ^^, but I'm sure there is a room for improvements.
those are extract of the code, maybe someone can help me find out what I'm doing wrong ? (sorry for the messy code)
basically when application is loading, I'm calling loadUserIfPossible() to retrieve user info if possible.
If not, user click signin button which calls login() method.
After that each api call is going trough the addAuthToAPICall() before calling the api.
Also, does anyone know a sample with this scenario ? msal-browser@2.x, spa, B2C and an API which is not graph ? on the sample page https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code
![image](https://user-images.githubusercontent.com/7936075/87228436-882ca680-c3a1-11ea-8ee5-cd799d795af0.png)
There is this one
which is closed but uses msal@1.x
Examples:
The text was updated successfully, but these errors were encountered: