Msal AADB2C90085 on redirect after custom policy flow #6389

adnan-ashfaq · 2023-08-24T21:57:57Z

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.28.2

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.4.2

Public or Confidential Client?

Public

Description

I am implementing B2c custom MFA and PasswordRest flow in our angular app. However, after the flow is completed the msal is appending http with the redirect url. For instance if the redirect url is www.abc.com, after redirect it's www.abc.com/https:. In the browser console I get the following errors

POST https://qhrdqab2cmedeo.b2clogin.com/qhrdqab2cmedeo.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token 400 (Bad Request)
ServerError: invalid_grant: undefined - [undefined]: AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.
@azure/[email protected] : Error - Guard - error while logging in, unable to activate

MSAL Configuration

{
    auth: {
      clientId: config.clientId,
      authority: config.authorities.signUpSignIn,
      redirectUri: window.origin,
      postLogoutRedirectUri: window.origin,
      knownAuthorities: [config.authorityDomain]
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
      storeAuthStateInCookie: false
    },
    system: {
      loggerOptions: {
        // eslint-disable-next-line ban/ban, no-console
        loggerCallback: (level, message) => console.log(message),
        logLevel: config.logLevel,
        piiLoggingEnabled: false
      }
    }
  }

export function b2cGuardFactory(): MsalGuardConfiguration {
  return {
    interactionType: InteractionType.Redirect,
    loginFailedRoute: `${window.origin}/error/B2C_USER_LOGIN_FAILED/1`
  };
}

Relevant Code Snippets

init() {
  // setup msal to use router instead of setting window.location
    const customNavigationClient = new MsalCustomNavigationClient(this.authService, this.router, this.location);
    this.authService.instance.setNavigationClient(customNavigationClient);

    this.userFacade.userPermissions$
      .pipe(
        map(userPermission => !!this.b2cConfig && !!userPermission?.b2c_login)
      )
      .subscribe((flag: boolean) => this._enabledSubject$.next(flag));

    this.msalBroadcastService.inProgress$
      .pipe(
        filter((status: InteractionStatus) => status === InteractionStatus.None),
        takeUntil(this.ngUnsubscribe)
      )
      .subscribe(() => {
        this.checkAndSetActiveAccount();
      });

    // listen for msal events
    this.msalBroadcastService.msalSubject$.subscribe((event: EventMessage) => {
      if (event.error) {
        if (event.error.message?.indexOf('AADB2C90091') > -1) {
          this.window.location.replace('/settings');
        } else {
          console.error(event.error);
        }
      }
    });
  }

mfaSetUp() {
    // Redirect user to MFA policy
    this.authService.loginRedirect({
      extraQueryParameters: {
        p: 'B2C_1A_MFAEDIT'
      },
      scopes: OIDC_DEFAULT_SCOPES,
    });
  }

Identity Provider

Azure B2C Custom Policy

Source

Internal (Microsoft)

The text was updated successfully, but these errors were encountered:

lalimasharda · 2023-08-25T20:57:18Z

Hey @adnan-ashfaq , can you share trace level logs for this issue by setting the logLevel to Trace? Thanks!

lalimasharda · 2023-08-25T21:17:35Z

@adnan-ashfaq Can you also please share your network trace on my email?

adnan-ashfaq · 2023-08-25T21:24:58Z

@adnan-ashfaq Can you also please share your network trace on my email?

Just Sent. Can you confirm you've received it?

lalimasharda · 2023-08-25T21:27:28Z

I received the logs but not the network trace!

adnan-ashfaq · 2023-08-25T21:31:56Z

I received the logs but not the network trace!

Just sent them.

It says file too big. Rejected from your server.

adnan-ashfaq · 2023-08-25T21:43:13Z

Attached is the zipped har file. From: Lalima Sharda ***@***.***> Sent: Friday, August 25, 2023 5:28 PM To: AzureAD/microsoft-authentication-library-for-js ***@***.***> Cc: Adnan Ashfaq ***@***.***>; Mention ***@***.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-js] Msal AADB2C90085 on redirect after custom policy flow (Issue #6389) I received the logs but not the network trace! - Reply to this email directly, view it on GitHub<#6389 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVW7F5Y5NBJL2PYZ7ESS253XXEKEVANCNFSM6AAAAAA35UPOFQ>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

lalimasharda · 2023-08-28T18:49:59Z

Hey @adnan-ashfaq , the network trace you shared does not show the /authorize call. Can you please collect another trace and make sure it contains the /authorize and /token request & response? Also, can you please double check your code to see if you have a custom method for building a redirect URI somewhere and if it is generating the correct redirect URI? I do not see anything wrong with the redirect URI in your request to /token call.

adnan-ashfaq · 2023-08-28T19:36:38Z

Hey @lalimasharda I have just sent the complete Network log from when user sign-in to completing the flow and redirecting to the url. And yes, I have confirmed we do not have any custom method the redirect uri.

adnan-ashfaq · 2023-08-31T16:01:13Z

Hi @lalimasharda @sameerag , any update on the issue?

microsoft-github-policy-service · 2023-09-11T07:18:21Z