Comments (10)
Always sending 'openid' and 'profile' scopes causes an error when integrating with IdentityServer 4.
IdentityServer 4 does not allow you to send an identity scope when you are requesting an access token. If I request an access token for scope 'xyz', the scope is changed to 'xyz openid profile' which causes IdentityServer to throw the following error:
Requests for token response type only must include resource scopes, but no identity scopes.
This makes the library unusable for us.
from microsoft-authentication-library-for-js.
This issue should be considered as a bug and not an enhancement in case MSAL officially supports B2C! Asking a user to provide his Microsoft credentials when logging using a local account with B2C is not an expected behavior.
from microsoft-authentication-library-for-js.
from microsoft-authentication-library-for-js.
Sorry for the long delay - can you help me understand the scenario here?
From my understanding, you are using built-in policies in Azure AD B2C for signing in your users. When you use MSAL to call Azure AD B2C, MSAL automatically adds profile as one of the scopes when making the request.
Can you elaborate on where you run into problems?
from microsoft-authentication-library-for-js.
@parakhj : Imagine a user trying to login using a local account (let's say Email). That user would expect to enter his email address + password and be redirected back to the application right away. Instead, because B2C (oauth2) sees that the Profile scope is requested, the login screen redirects the user and asks him to select an identity provider account in order to satisfy the flow. The bottom line is that the client application is not interested in the user profile, nor should the user be asked to select an identity provider when logging in using a local account.
from microsoft-authentication-library-for-js.
Could you link me to an example where adding the profile in the scope changes the behavior? Here are two different links, one with profile and one without profile, and the landing pages are the same for me.
from microsoft-authentication-library-for-js.
@parakhj : I cannot reproduce the problem, even if I use the links you sent me or even with my own application. Is it possible that something changed in B2C recently? You can close this ticket, thank you.
Before you close the ticket, on a different topic, can I ask you where the best place would be so I can ask questions regarding B2C? I have 2 suggestions/questions I want to ask:
-
Why is there no "Remember me" option on the login screen for local accounts? With the implicit flow, every time someone uses my application and gets redirected to the login screen, it is painful to type the username/email and password every time.
-
Is it possible to use the "Edit company branding" settings defined in Azure Active Directory so if I decide not to use "Page UI customization" in B2C I can at least, for instance, change my background image or banner?
Thank you!
from microsoft-authentication-library-for-js.
@davidmorissette the best place to get help is on stack overflow using the tag 'azure-ad-b2c'.
Regarding implicit flow in 1. - implicit flows doesn't support refresh tokens. So "remember me" may not be a possibility. But you should look into using the "Sign in policy" (not the "Sign up or sign in" policy). It should help with both the problems.
from microsoft-authentication-library-for-js.
@parakhj : Thank you for the information. I didn't know that there were any differences between the "sign up or sign in" policy and the "sign in" policy besides being able to perform a sign up.
Regarding my suggestion concerning the "remember me" button for the local accounts: yes, I understand that there are no refresh tokens with the implicit flow. The idea was not to try to never expire or refresh the access token but simply to keep the "username/password" in a cookie (like we used to do with the forms authentication) so, the next time a user would arrive on the login screen he could simply click on the remembered local account to trigger the implicit flow instead of having to enter his credentials again. This would be very handy on a mobile device too.
Thank you!
from microsoft-authentication-library-for-js.
@davidmorissette Closing this issue for now as it is answered in the thread above. Please reopen if you still face issues.
from microsoft-authentication-library-for-js.
Related Issues (20)
- B2C Microsoft identity provider with msal-browser 2.x login error code challenge require HOT 1
- acquireTokenByClientCredential broken for clientCertificate HOT 19
- [Feature Request] Need an API for Managed Identity to detect the current environment
- Getting Error Time to Time - ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again . HOT 4
- AuthenticationResult created with NativeBrokerPlugin has invalid expiresOn value HOT 1
- CORS issue with acquireTokenPopup HOT 4
- LoginPopup and LoginRedirect not Working HOT 2
- ManagedIdentityTokenResponse's expires_in is not calculated correctly
- Managed Identity - add logs showing which MSI implementations were tried and why they are not available HOT 1
- Managed Identity - failed network request returns wrong error type
- MSAL 3.0 not returning accounts in Angular 17 after upgrading from 2.16.0 HOT 2
- Angular 17 Standalone MSAL Angular v3 Sample Doesnt work and Documentation is wrong HOT 1
- msal browser sample VanillaJSTestApp2.0 fails with ADFS HOT 2
- MsalContext accounts contains incorrect for authenticated user HOT 1
- The MSAL Interceptor finds invalid resources from the endpoint if another match is found in "QueryString". HOT 2
- sample fails at npm start: Angular 16 MSAL Angular v3 Sample: Cannot find module '@azure/msal-browser' HOT 2
- Error: Uncaught (in promise): InteractionRequiredAuthError: interaction_required: AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'. HOT 2
- [Supportability Bug] Deprecate WithClientAssertion(string) as it leads to assertion expiration issues HOT 1
- sample "Angular 16 MSAL Angular v3 Sample" configured for ADFS logs event "msal:loginFailure" HOT 3
- sample "Angular 17 Standalone MSAL Angular v3 Sample" fails to build: Cannot set properties of null (setting 'parent'), Lifecycle script `postinstall:msal-angular` failed, etc.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft-authentication-library-for-js.