Search code examples
azureazure-web-app-serviceazure-ad-b2cazure-app-service-envrmnt

Azure AD B2C Refresh Token Revoked 403

Good morning everyone,

I Have set up an App Service in Azure and added Authentication via Azure AD B2C. So far so good everything works fine. After 1 hour though, when the token expires, I try to refresh it but then I get an error back that the refresh token has been revoked. What goes wrong here ? I have set up the backend like explained in this post : and when logging in I pass the additional parameter like so : 

user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });

This is my refresh code :

user = await Manager.CurrentClient.RefreshUserAsync();

This is the error I am getting

{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Refresh failed with a 403 Forbidden error. The refresh token was revoked or expired. ---> Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: You do not have permission to view this directory or page. at Microsoft.WindowsAzure.MobileServices.MobileServiceHttpClient+d__24.MoveNext () [0x001ec] in :0

Am I missing something here ? Thank you

EDIT : Here is a Screenshot of the Settings in the Portal Azure Settings

EDIT 2 : Here is an error form the server logs when trying to refresh the token : Error

EDIT 3 : And here the Application Log from the webserver for the given request :

2017-01-18T15:08:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:453a1ad2710466bc9873240e888d8b91', Issuer: 'https://api.near.lu/'. 2017-01-18T15:08:33 PID[6344] Warning The refresh request issued by sid:453a1ad2710466bc9873240e888d8b91 (SID: ac22f7309036f0c07a54b1299b9601ef) failed because no refresh tokens were found in the token store. 2017-01-18T15:08:33 PID[6344] Information Sending response: 403.80 Forbidden 2017-01-18T15:08:34 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T15:08:34 PID[6344] Verbose Downloading OpenID configuration from https://login.microsoftonline.com/nearauth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Default 2017-01-18T15:08:36 PID[6344] Verbose Downloading OpenID issuer keys from https://login.microsoftonline.com/nearauth.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_default 2017-01-18T15:08:37 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=9e243549b62f49878cc370048c6effa9_20170118151334 2017-01-18T15:08:39 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T15:08:39 PID[6344] Error An error of type 'unauthorized_client' occurred during the login process: 'AADB2C90057: The provided application is not configured to allow the OAuth Implicit flow. Correlation ID: 8336662f-8847-4f8b-bb37-6925a5d3e264 Timestamp: 2017-01-18 15:08:38Z ' 2017-01-18T15:08:39 PID[6344] Information Sending response: 401.73 Unauthorized

EDIT 4: This is the log of a successfull login :

2017-01-18T19:10:14 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/aad?response_type=code%20id_token 2017-01-18T19:10:14 PID[6344] Information Redirecting: https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514 2017-01-18T19:10:30 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30 PID[6344] Verbose JWT validation succeeded. Subject: '1eaf9f41-1562-4ac9-9538-b893c9123087', Issuer: 'https://login.microsoftonline.com/07407dc1-946a-4afc-9186-84e6023ba814/v2.0/'. 2017-01-18T19:10:30 PID[6344] Verbose Calling into external HTTP endpoint POST https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/token. 2017-01-18T19:10:32 PID[6344] Information Login completed for 'aget'. Provider: 'aad'. 2017-01-18T19:10:32 PID[6344] Verbose Writing 'AppServiceAuthSession' cookie for site 'api.near.lu'. Length: 792. 2017-01-18T19:10:32 PID[6344] Information Redirecting: https://api.near.lu/.auth/login/done#token=%7B%22authenticationToken%22%3A%22ey--REMOVED PART OF THE TOKEN--%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aed01ed7507f147976aa1704783267861%22%7D%7D 2017-01-18T19:10:33 PID[6344] Verbose Received request: GET https://api.near.lu/.auth/login/done 2017-01-18T19:10:33 PID[6344] Information Sending response: 200.0 OK

This is the error log i get when I try to refresh immediatley after logging in :

2017-01-23T10:55:06 PID[6344] Verbose Received request: POST https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344] Verbose JWT validation succeeded. Subject: 'sid:ed01ed7507f147976aa1704783267861', Issuer: 'https://api.near.lu/'. 2017-01-23T10:55:06 PID[6344] Warning The refresh request issued by sid:ed01ed7507f147976aa1704783267861 (SID: 9a6c2ee324a092937c5e2f953803e662) failed because no refresh tokens were found in the token store. 2017-01-23T10:55:06 PID[6344] Information Sending response: 403.80 Forbidden

Which is weird, as it can be seen in the above picture the token store is enabled...

Solution

  • The problem could be that your current App Service Authentication / Authorization setup is not configured to support token refresh. A simple way to confirm this would be to enable Application Logging and look at the warning messages in the application log stream when a refresh operation fails. More details on application logging can be found here: https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log

    See the following blog post (which I wrote) to learn more about how to update your Authentication / Authorization settings to support token refresh: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh. The short version is that you need to:

    1. create an app key in your B2C app registration and set that as the client secret in your Authentication / Authorization "Advanced" settings for AAD in the portal.
    2. Request the offline_access scope when logging in. This ensures you get a refresh token from AAD B2C when the user logs in.

    Your login code should look like the following:

    user = await Manager.CurrentClient.LoginAsync(
    currentContext,
    MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
    new Dictionary<string, string>() { { "scope", "openid offline_access" } });