Skip to content
This repository has been archived by the owner on Mar 3, 2022. It is now read-only.

Issue with B2C when an accessToken AND idToken is present - accessToken does not contain userinfo_endpoint #1382

Open
erikrenaud opened this issue May 26, 2021 · 0 comments
Open

Issue with B2C when an accessToken AND idToken is present - accessToken does not contain userinfo_endpoint #1382

erikrenaud opened this issue May 26, 2021 · 0 comments

Comments

@erikrenaud
Copy link

erikrenaud commented May 26, 2021
edited
Loading

Hello,

when using the following config:
public oidcSettings: any = {
userStore: new WebStorageStateStore({ store: window.localStorage, prefix: 'Auth' }),
authority: '',
client_id: '',
redirect_uri: window.location.origin + '/sign-in-callback',
automaticSilentRenew: true,
includeIdTokenInSilentRenew: true,
silent_redirect_uri: window.location.origin + '/sign-in-silent-renew',
response_type: 'code',
scope: 'openid profile',
post_logout_redirect_uri: window.location.origin + '/sign-in/sign-out',
filterProtocolClaims: false,
};

The library correctly receives a CODE from Azure B2C and then exchanges for a token.
{
"id_token": "ey...og",
"token_type": "Bearer",
"not_before": 1621968673,
"id_token_expires_in": 3600,
"profile_info": "ey...x9",
"scope": "openid",
"refresh_token": "ey..EA",
"refresh_token_expires_in": 86400
}

When i add an additional Scope to receive an additional accessToken, i get a CODE back from Azure B2C and then exchange it for some tokens:
{
"access_token": "eyJ...Q",
"id_token": "ey...3Pg",
"token_type": "Bearer",
"not_before": 1621968907,
"expires_in": 3600,
"expires_on": 1621972507,
"resource": "c6c4367d-93d6-42c1-931f-c2236b1afb04",
"id_token_expires_in": 3600,
"profile_info": "ey...Gx9",
"scope": "https://xxx/cyyy/AppAPI openid",
"refresh_token": "ey...cg",
"refresh_token_expires_in": 86400
}

I get the accessToken and idToken, but the code tries to get the userinfo_endpoint value from the accessToken which is not present and fails. I have verified and it is indeed not present nor in the idToken nor in the accessToken.

image

In the code, the "If" that triggers this behaviour when an accessToken is present looks like this (from ResponseValidator.js):

_processClaims(state, response) { if (response.isOpenIdConnect) { Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims");
response.profile = this._filterProtocolClaims(response.profile);
if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) { Log.debug("ResponseValidator._processClaims: loading user info");

Should there not be a check that only runs this code if an idToken was not received ?

Setting Setting.loadUserInfo = false seems to do the trick.

Is this a failure of the OIDC implementation in B2C, or an issue in this library ? or just a config that someone needs to know they have to activate when both tokens are received by the Token endpoint ?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erikrenaud