Skip to content
This repository was archived by the owner on Mar 3, 2022. It is now read-only.
This repository was archived by the owner on Mar 3, 2022. It is now read-only.

Issue with B2C when an accessToken AND idToken is present - accessToken does not contain userinfo_endpoint #1382

Open
Open
Issue with B2C when an accessToken AND idToken is present - accessToken does not contain userinfo_endpoint#1382
@erikrenaud

Description

@erikrenaud
erikrenaud
opened on May 26, 2021

Hello,

when using the following config:
public oidcSettings: any = {
userStore: new WebStorageStateStore({ store: window.localStorage, prefix: 'Auth' }),
authority: '',
client_id: '',
redirect_uri: window.location.origin + '/sign-in-callback',
automaticSilentRenew: true,
includeIdTokenInSilentRenew: true,
silent_redirect_uri: window.location.origin + '/sign-in-silent-renew',
response_type: 'code',
scope: 'openid profile',
post_logout_redirect_uri: window.location.origin + '/sign-in/sign-out',
filterProtocolClaims: false,
};

The library correctly receives a CODE from Azure B2C and then exchanges for a token.
{
"id_token": "ey...og",
"token_type": "Bearer",
"not_before": 1621968673,
"id_token_expires_in": 3600,
"profile_info": "ey...x9",
"scope": "openid",
"refresh_token": "ey..EA",
"refresh_token_expires_in": 86400
}

When i add an additional Scope to receive an additional accessToken, i get a CODE back from Azure B2C and then exchange it for some tokens:
{
"access_token": "eyJ...Q",
"id_token": "ey...3Pg",
"token_type": "Bearer",
"not_before": 1621968907,
"expires_in": 3600,
"expires_on": 1621972507,
"resource": "c6c4367d-93d6-42c1-931f-c2236b1afb04",
"id_token_expires_in": 3600,
"profile_info": "ey...Gx9",
"scope": "https://xxx/cyyy/AppAPI openid",
"refresh_token": "ey...cg",
"refresh_token_expires_in": 86400
}

I get the accessToken and idToken, but the code tries to get the userinfo_endpoint value from the accessToken which is not present and fails. I have verified and it is indeed not present nor in the idToken nor in the accessToken.

image

In the code, the "If" that triggers this behaviour when an accessToken is present looks like this (from ResponseValidator.js):

_processClaims(state, response) { if (response.isOpenIdConnect) { Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims");
response.profile = this._filterProtocolClaims(response.profile);
if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) { Log.debug("ResponseValidator._processClaims: loading user info");

Should there not be a check that only runs this code if an idToken was not received ?

Setting Setting.loadUserInfo = false seems to do the trick.

Is this a failure of the OIDC implementation in B2C, or an issue in this library ? or just a config that someone needs to know they have to activate when both tokens are received by the Token endpoint ?

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions