Azure AD B2C UseOpenIdConnectAuthentication - Can't find Refresh Token
Got a somewhat convoluted and outdated workflow that we're trying to "somewhat" modernize. We are using a very old set of code (.NET 4.6.2), and are migrating an Azure AD B2C ROPC flow to an Authorization Code flow. We have the basic setup working - we capture the auth endpoint using IAppBuilder.Map, and then use IAppBuilder.Run to call Authentication.Challenge with the specified auth type.
In terms of the auth provider registration, we use UseOpenIdConnectAuthentication, with the following options:
AuthenticationType = AuthenticationType.Storefront,
ClientId = clientId,
Authority = authority,
SignInAsAuthenticationType = AuthenticationType.Storefront,
Scope = OpenIdConnectScopes.OpenId,
ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
PostLogoutRedirectUri = "/",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "name",
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
return Task.CompletedTask;
},
RedirectToIdentityProvider = RedirectToSameDomain,
SecurityTokenValidated = OnOrgUserSecurityTokenValidated,
AuthorizationCodeReceived = OnOrgAuthorizationCodeReceived
}
This works perfectly for getting the browser to redirect the user to Azure AD B2C, and then capturing the response with the SecurityTokenValidated callback. The problem is that in that response, the refresh token is always missing. We've tried several different places:
AuthenticationTicket.Properties.AllowRefreshis alwaysfalse, despite settingAuthenticationProperties.AllowRefreshtotrueduring theAuthentication.ChallengestepProtocolMessage.AccessTokencontains a valid access token, howeverProtocolMessage.RefreshTokenis alwaysnull- Both of the above hold true regardless of whether we look at
SecurityTokenValidatedor atAuthorizationCodeReceived
On top of all of the above, there's one more question which we're unsure about. Currently we use ROPC to refresh the access token. Will that work even if we use the Authorization Code flow for signing in?
Any suggestions would be appreciated. Thanks!
EDIT
Going to mark the answer from Rukmini (https://stackoverflow.com/a/76578895/1289046) as correct, but I wanted to elaborate a bit on the specific steps I needed to take, to get this working.
First things first - in terms of the setup info for what gets sent over to Azure AD B2C, the first authorize call is sent using scope=openid and response_type=code id_token. I then hook into the SecurityTokenValidated message that Azure AD B2C sends back when authentication has occurred successfully.
In there, I modified the overall flow significantly. From the response I get from Azure AD B2C, I take only the ProtocolMessage.Code value, and I use that to make another call to Azure AD B2C. This time, though, I call it using grant_type=authorization_code and I set the code parameter to the aforementioned ProtocolMessage.Code value. I make this call using a client_id and client_secret registered in Azure AD B2C.
The response of this second call properly contains the refresh_token, alongside the id_token and an expires_in value for both tokens.
Last, but not least, I rewired the refresh token behaviour - as long as the refresh_token hasn't expired, I use it to get a new id_token if it has expired or will soon do so. If the refresh_token has expired, I log the user out.
I created an Azure AD B2C Application and granted API permissions like below:
Now, I generated access token using ROPC flow using below parameters via Postman:
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/<policy-name>/oauth2/v2.0/token
client_id:ClientID
scope:openid
username:[email protected]
password:*****
grant_type:password
client_secret:ClientSecret
Note that: To generate refresh token, the
offline_accessscope is required.
To generate the refresh token, grant offline_access API permission:
Now while generating the token, pass offline_access scope like below:
scope:openid offline_access
To get refresh token, modify the code like below:
AuthenticationType = AuthenticationType.Storefront,
ClientId = clientId,
Authority = authority, SignInAsAuthenticationType = AuthenticationType.Storefront,
Scope = OpenIdConnectScopes.OpenId + "offline_access",
ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
On top of all of the above, there's one more question which we're unsure about. Currently we use ROPC to refresh the access token. Will that work even if we use the Authorization Code flow for signing in?
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_Signinsignup/oauth2/v2.0/token
client_id:xxxx
grant_type:authorization_code
scope:openid offline_access
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
Yes, you can use ROPC to refresh the access token even if Authorization Code flow is used for signing in.
I am able to refresh the access token generated by authorization code and using refresh token of ROPC:
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- B2C Sign-up screen shows {OIDC:LoginHint} instead of the login
- During signIn receiving B2C error code ‘AADB2C99059’
- Azure B2C / WPF - Handling a failed MFA verification flow
- Assign B2C User to ExternalAzureAD identity
- AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Sign in to Azure B2C with an OpenID account (Microsoft Work email) but prevent user from signing up
- Azure b2c still authenticated after hitting logout
- Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?
- Azure B2C Signup page
- Azure B2C integration not working on app built using pwabuilder for iOS
- Azure AD B2C problem with Self-Service password reset
- use of b2clogin.com when acquiring token with Client Credential Grant Flow
- Azure B2C does not receive script information written in HTML files uploaded to storage
- Azure B2C: Edit Profile via a single page
- Azure b2c cutom policy signin validation profile
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Azure Active Directory B2C: How to query MS Graph to get a user's alternative security ID?
- Did B2C user creation defaults change regarding password reset?
- Refresh Tokens and MicrosoftIdentityWebApp
- ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?
- To allow external client application users to access B2C Integrated client website
- Correlation failed in asp.net core
- Custom attribute as stringCollection on Azure AD B2C
- How to get detailed exception in Azure B2C Custom policy by Correlation ID?
- Authenticating with Azure AD B2C Issue