ITokenAcquisition.GetTokenForUser() needs to take an optional userFlow parameter

[jmprieur]

Why?
Today we don't specify in the controllers which policy/user flow to use to acquire the token, and therefore the B2C scenarios is not quite right.

What?
Expose a userFlow parameter and lookup the right account in the implementation

See also the 2 related issues

[jennyf19]

moving some of the required cache look up to MSAL .NET

[jennyf19]

@jackheywood @grzegorzy @felickz

This work-in-progress branch has some changes to how Microsoft Identity Web handles b2c, including a fix for this issue, which involves taking a userFlow parameter in .GetTokenForUser().
Each userFlow (policy) is a separate authorization server in AAD B2C, so they issue their own tokens. This means you'll have a variety of tokens per user in the cache. However, the web API is usually connected to the su_si policy, or another policy after the user has signed-in to the application.

In Microsoft Identity Web, we are using the HttpContext to determine the current userFlow, and using that userFlow . For example, I do su_si policy first, then I go to edit_profile. Then I hit "call the web API", Microsoft Identity Web will use the current userFlow, which is edit_profile,, which is incorrect because my web API is behind the su_si userFlow, we then catch an MsalUiRequiredException and use the su_si policy. However, If you want to specify the policy to use, you cannot do that, as mentioned here. The branch linked above has the ability to specify the policy.

You'll need to do two things to try it out.

• First, in the TodoListController, add in the userFlow value you want to target in the AuthorizeForScopes attribute.

[AuthorizeForScopes(ScopeKeySection = "TodoList:TodoListScope", UserFlow = "b2c_1_susi")]

• Second, specify the same userFlow value in PrepareAuthenticatedClient in TodoListService.

 private async Task PrepareAuthenticatedClient(string userFlow)
{
          // Each user flow is a separate authorization server. 
          // specify which user flow is connected to the web API.
          var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _TodoListScope, }, userFlow:userFlow);
          Debug.WriteLine($"access token-{accessToken}");
...

cc: @jmprieur

[pmaytak]

@jackheywood @grzegorzy @felickz

This was included in Microsoft Identity Web 0.2.1-preview release.

[grzegorzy]

Thank you very much for the notification @jennyf19, @pmaytak. I checked the latest 0.2.1-preview release. Unfortunately it seems that it doesn't solve my issue Cannot acquire API access token for B2C Reset Password policy. I used the userFlow parameter for both AuthorizeForScopes and GetAccessTokenForUserAsync but when I sign in via the "reset password" policy I receive an error when the application tries to call the TodoListService. Here is the error:

MSAL.NetCore.4.16.1.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_TEST_susi and Expected Value : B2C_1_TEST_reset_password

My assumption after the 0.2.1-preview release and according to what @jennyf19 said here was that ToDoListClient should redirect me back to the B2C again after I use the "reset password" functionality, in order to acquire an access token for the correct policy "susi". I don't know if this is what should happen. Either way my case still doesn't work.

I tried to quickly check it in the source code and I noticed one thing. Take a look at the AuthorizeForScopes attribute implementation. It looks like the UserFlow property is not used in the OnException method. It might be a mistake or I just don't see something.

Perhaps I am doing something wrong. Perhaps I should create a separate issue instead of writing here. I just wanted to give you guys some feedback.

cc: @jmprieur

[jmprieur]

Thanks for the heads up @grzegorzy
Are you using Blazor pages? or an MVC controller / a Razor page?

[grzegorzy]

No problem @jmprieur!
This is for an MVC controller. Actually I used this sample. I just replaced values in both appsettings.json files with those that match my Azure AD B2C and applied the userFlow parameter to AuthorizeForScopes and GetAccessTokenForUserAsync.