Profile scope using local accounts with B2C about microsoft-authentication-library-for-js HOT 10 CLOSED

Always sending 'openid' and 'profile' scopes causes an error when integrating with IdentityServer 4.

IdentityServer 4 does not allow you to send an identity scope when you are requesting an access token. If I request an access token for scope 'xyz', the scope is changed to 'xyz openid profile' which causes IdentityServer to throw the following error:

Requests for token response type only must include resource scopes, but no identity scopes.

This makes the library unusable for us.

from microsoft-authentication-library-for-js.

This issue should be considered as a bug and not an enhancement in case MSAL officially supports B2C! Asking a user to provide his Microsoft credentials when logging using a local account with B2C is not an expected behavior.

from microsoft-authentication-library-for-js.

• @parakhj @saraford : can you please provide guidance?

from microsoft-authentication-library-for-js.

Sorry for the long delay - can you help me understand the scenario here?

From my understanding, you are using built-in policies in Azure AD B2C for signing in your users. When you use MSAL to call Azure AD B2C, MSAL automatically adds profile as one of the scopes when making the request.

Can you elaborate on where you run into problems?

from microsoft-authentication-library-for-js.

@parakhj : Imagine a user trying to login using a local account (let's say Email). That user would expect to enter his email address + password and be redirected back to the application right away. Instead, because B2C (oauth2) sees that the Profile scope is requested, the login screen redirects the user and asks him to select an identity provider account in order to satisfy the flow. The bottom line is that the client application is not interested in the user profile, nor should the user be asked to select an identity provider when logging in using a local account.

from microsoft-authentication-library-for-js.

Could you link me to an example where adding the profile in the scope changes the behavior? Here are two different links, one with profile and one without profile, and the landing pages are the same for me.

from microsoft-authentication-library-for-js.

@parakhj : I cannot reproduce the problem, even if I use the links you sent me or even with my own application. Is it possible that something changed in B2C recently? You can close this ticket, thank you.

Before you close the ticket, on a different topic, can I ask you where the best place would be so I can ask questions regarding B2C? I have 2 suggestions/questions I want to ask:

1. Why is there no "Remember me" option on the login screen for local accounts? With the implicit flow, every time someone uses my application and gets redirected to the login screen, it is painful to type the username/email and password every time.

2. Is it possible to use the "Edit company branding" settings defined in Azure Active Directory so if I decide not to use "Page UI customization" in B2C I can at least, for instance, change my background image or banner?

Thank you!

from microsoft-authentication-library-for-js.

@davidmorissette the best place to get help is on stack overflow using the tag 'azure-ad-b2c'.

Regarding implicit flow in 1. - implicit flows doesn't support refresh tokens. So "remember me" may not be a possibility. But you should look into using the "Sign in policy" (not the "Sign up or sign in" policy). It should help with both the problems.

from microsoft-authentication-library-for-js.

@parakhj : Thank you for the information. I didn't know that there were any differences between the "sign up or sign in" policy and the "sign in" policy besides being able to perform a sign up.

Regarding my suggestion concerning the "remember me" button for the local accounts: yes, I understand that there are no refresh tokens with the implicit flow. The idea was not to try to never expire or refresh the access token but simply to keep the "username/password" in a cookie (like we used to do with the forms authentication) so, the next time a user would arrive on the login screen he could simply click on the remembered local account to trigger the implicit flow instead of having to enter his credentials again. This would be very handy on a mobile device too.

Thank you!

from microsoft-authentication-library-for-js.

@davidmorissette Closing this issue for now as it is answered in the thread above. Please reopen if you still face issues.

from microsoft-authentication-library-for-js.