Authentication response received without expected accessToken

Question

I am using https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal and can go thru the interactive login flow fully, but I never get the tokens properly back. When I do a Run Flow on the policy in AD B2C portal I get the tokens back when I redirect to jwt.ms.

I have enabled the verbose and pii logging as well. The authority url is resolving properly.

I have enabled both Access token and ID Token for the implicit flow in the azure portal as well. I have tried passing in a blank array of scopes as well as 'openid'/etc and that tells me that those are reserved and not to pass in.

If I had the token, I plan to hit azure functions (not graph like in the sample).

Any help would be greatly appreciated as I have spent a lot of time researching this. I saw on a stackoverflow thread that "msal" was incorrect in the documentation and to update to msauth.clientid://auth, which I have also tried to no avail.

I am logging in as a local account that was previously created.

%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Requiring default broker type due to app being built with iOS 13 SDK
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] -[MSALPublicClientApplication acquireTokenWithParameters:(
)
                                     extraScopesToConsent:(null)
                                                  account:(null)
                                                loginHint:(null)
                                               promptType:MSALPromptTypeSelectAccount
                                     extraQueryParameters:(null)
                                                authority:<MSALB2CAuthority: 0x600000b100e0>
                                              webviewType:MSALWebviewTypeSafariViewController
                                            customWebview:No
                                            correlationId:(null)
                                             capabilities:(null)
                                            claimsRequest:(null)]
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Beginning interactive flow.
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolving authority: https://......b2clogin.com/tfp/......onmicrosoft.com/B2C_1_tes_sign_up_and_sign_in, upn: (null)
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Resolved authority, validated: NO, error: 0
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:00] Start background app task with type 0
Received callback!
Received callback!
Received callback!
Received callback!
Received callback!
msauth.com.microsoft.identity.client.sample.msaliosb2c://auth/?state=REJEQTM3MDAtMUNGMC00MEVGLTkwRTMtRUU0NDUxOTIxNjgy&client_info=eyJ1aWQiOiI5MmMyMWFmZS04MmRmLTQyZmQtOGQxZC1kOTM5MzIxNzJiZjgtYjJjXzFfdGVzX3NpZ25fdXBfYW5kX3NpZ25faW4iLCJ1dGlkIjoiYzc5OTBkMTAtN2RkMy00Y2MxLTg0NDAtYmFlNjM3NmYzZjdkIn0&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..utC9PGZsSCucrxsi.YX7_K2EsSN0FC7xmbBuiih9kpX_kiiAfk18ttdcf1fgzbJdpxtlKE45LDow49h-CTu4BeNLCGeUD4ZPPUqEs6zrahnRppXbxpkEZFejllpumfjaCI6Au0BUWjRWX_ChHSTPY2d2C6X0rNpWSp9mvRDKwQlR-4f-jBzqpHGwGJhSTI2eO4dXE1P_wJJ0tAE5BVARbnb5bEPY6RMCpcXHDakGhcaQzBqXsmGIKuZASWOKGKgB-k-aXj2wB-DuprEIK168Gmvy41IO20C9kGtYpezcFtbEeH-yp53nu-2pdw8dxV3IVpECyQzYw3mVL0_wb0LsMN4dHonHqnXcjdghxSv1X75Haz_HRyisZTZ0bCHEx-4IN8mkEokIvJG54zM5DY36ZgIbJEUGhmx_dJinphRqjD13utQAhVyrHjA1_oGnPVZ_RJJh2pL_MRPaaWrj3kbcpudxjvPwdA9OIur6t71BIVA-uAbnMn-J6ORlbuPhQT4p-6XDC1h068huqjKgCEWADoIFzH7Hd8gOHjrc-Nc0EXY33ln_NXz9pYLtde-WhTC4O_gmE36Hw4p_4cD0_FfyWb57sfb_5GUllhkZKJWVfxa2V7WD28whVlEn0ksbkMbedBsuhcX0.di8cR8t0DcTKLlPvfJrLZQ
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] Stop background task with type 0
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] No cached preferred_network for authority
%@ TID=29077 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Sending network request: (not-null), headers: (not-null)
%@ TID=31634 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09] session:didReceiveChallenge:completionHandler - nsurlauthenticationmethodservertrust. Host: ........b2clogin.com. Previous challenge failure count: 0
%@ TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Received network response: (not-null), error (null)
%@ TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Parsed response: (not-null), error (null), error domain: (null), error code: 0
%@ TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] Unsuccessful token response, error Error Domain=MSIDErrorDomain Code=-51100 "(null)" UserInfo={MSIDCorrelationIdKey=FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0, MSIDErrorDescriptionKey=Authentication response received without expected accessToken}
%@ TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] Interactive flow finished result (null), error: -51100 error domain: MSIDErrorDomain
%@ TID=31638 MSAL 1.0.0 iOS Sim 13.6 [2020-08-25 03:38:09 - FCCF8212-9E72-4E6E-8C3A-042F71EDEAA0] [MSAL] acquireToken returning with error: (MSALErrorDomain, -50000) Authentication response received without expected accessToken

Answer 1

The answer did help me get on the right path, but the problem was a bit different.

I used the following scopes: https://tenantname.onmicrosoft.com/APINAME/write https://tenantname.onmicrosoft.com/APINAME/read

I implemented this in the following way:

kScopes = ["https://tenantname.onmicrosoft.com/(String(describing: kAPI))/write", "https://tenantname.onmicrosoft.com/(String(describing: kAPI))/read"]

This did not work because it made the following string "https://tenantname.onmicrosoft.com("APINAME")/read". stackoverflow removes a couple of \ in between there but you get the point.

Answer 2

The resolution to this issue is one that I want to post for others as it could really use some improvement in the documentation or error codes. I don't think it only applies to Azure Function apis.

In the azure b2c portal, if you run the signin flow, your browser will show scope of openid (might have had profile as well). So, you would think that when using MSAL, you would pass this as a scope as well. If you do, you get an error message stating that openid and profile are reserved scopes that MSAL manages and to not pass them in.

You would think that is great, it is handled for you, and is not causing an issue where you are not getting your tokens and to move on and look for other issues... whereby leaving the scopes as a blank array. You may not even need a special scope or permission in your api to restrict users.

However, it ended up that if you go to "expose an api" in the azure b2c tenant area, it will state that you must create at least one custom scope and at least one permission and that you must request at least one custom scope. Also, you must set an App ID URI. Create a custom scope, pass it in thru MSAL, and you get your token.

So you don't need a custom scope or have specified an App ID Uri when running the flow from azure portal, but you do if you are using MSAL. There must be a reason for this but it doesn't really make sense to me at the moment.

Hope this helps someone.

Answer 3

You could get both Access token and ID Token with implicit flow. If you get id_token but not access_token, check response_type to contain token, not just id_token.

Note: make sure add the scope format like this: https://YOUR_TENANT.onmicrosoft.com/api/user_impersonation

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=id_token+token
&redirect_uri=xxxxx
&response_mode=fragment
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fxxxx%2Fuser_impersonation
&state=123456
&nonce=12345