Issue with B2C feature of Microsoft identity platform with a Python web application

[SanjeevKumar300]

I tried follow all the instructions mentioned in the readme for b2c. Instead of going to the Azure DA B2C lsignsign off page it is getting redirected to the app page. It seems auth url is incorrect Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) 127.0.0.1 - - [01/Jun/2020 18:57:12] "GET / HTTP/1.1" 302 - 127.0.0.1 - - [01/Jun/2020 18:57:15] "GET /login HTTP/1.1" 200 - 127.0.0.1 - - [01/Jun/2020 18:57:25] "GET /getAToken?error=redirect_uri_mismatch&error_description=AADB2C90006%3a+The+redirect+URI+%27http%3a%2f%2f127.0.0.1%3a5000%2fgetAToken%27+provided+in+the+request+is+not+registered+for+the+client+id+%272a12c9b6-dfe9-4a83-a329-a51f5acf28e2%27.%0d%0aCorrelation+ID%3a+e7461ec9-5d98-4b87-a940-951802ae0d3f%0d%0aTimestamp%3a+2020-06-01+13%3a27%3a24Z%0d%0a&state=2b18432b-0939-4f6f-a336-c3a2c4daafcb HTTP/1.1" 302 - 127.0.0.1 - - [01/Jun/2020 18:57:25] "GET / HTTP/1.1" 302 - 127.0.0.1 - - [01/Jun/2020 18:57:27] "GET /login HTTP/1.1" 200 -

[rayluo]

It seems auth url is incorrect

That indeed seems to be the case here, based on the error message in log that you provided. That is supposed to be addressed by the very firsts step in our README_B2C. What value(s) did you put into your app's config?

By the way, I also notice that you pasted the HTTP logs, rather than pasting content in an error page. You should have also been presented a more human-readable error page. Please let us know if that was not the case, then we will need to check.

[SanjeevKumar300]

Hi I am getting redirect uri error mismatch. The app redirect uri is http://localhost:5000/getAToken and the app.config REDIRECT_PATH = "/getAToken" /getAToken?error=redirect_uri_mismatch&error_description=AADB2C90006%3a+The+redirect+URI+%27http%3a%2f%2f127.0.0.1%3a5000%2fgetAToken%27+provided+in+the+request+is+not+registered+for+the+client+id+%27f7cd719f-3658-4cb6-a1ab-aeabac0076ca%27.%0d%0aCorrelation+ID%3a+765e147b-fb7d-49e6-9c2c-002c968a91f7%0d%0aTimestamp%3a+2020-06-02+07%3a09%3a49Z%0d%0a&state=de246232-4824-407c-

[SanjeevKumar300]

And if try to run the app using http://localhost:5000 I am getting another error Login Failure invalid_request AADB2C90117: The scope 'User.ReadBasic.Al' provided in the request is not supported. Correlation ID: b7fbb865-a82d-46f6-9148-2ede5ed1f3e4 Timestamp: 2020-06-02 07:20:56Z

[nickgmicrosoft]

Hi Sanjeev,

Have you registered the application?

See https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications.

If so, check the registered redirect uris corresponding to your platform in the "Authentication" blade and the permissions in the "API permissions" blade.

[SanjeevKumar300]

Hi Nick, See please understand the setup of Azure AD B2C tenant, App registration, Create flow, Identities is perfectly Ok, I have also tested all three flows using in B2C tenant. It work correctly. Also the app_Config.py is updated correctly. I have configured Redirect Uri as http://localhost:5000/getAToken all the permission are given. I still do not understand why the flask app is not working. Would be helpful we can have teams meeting remotely and fix the issue. This will be quick and save lot of time instead of sending back and forth emails Regards Sanjeev Kumar

[rayluo]

@SanjeevKumar300 It seems you are making progress, but still hard to tell whether you were talking about a previous error or a new one. That previous error:

And if try to run the app using http://localhost:5000 I am getting another error Login Failure invalid_request AADB2C90117: The scope 'User.ReadBasic.Al' provided in the request is not supported. Correlation ID: b7fbb865-a82d-46f6-9148-2ede5ed1f3e4 Timestamp: 2020-06-02 07:20:56Z

sounds like you did not configure the scope/permission properly. As far as I know - and @nickgmicrosoft can confirm - that a B2C api you are going to call would typically NOT use an AAD scope like User.ReadBasic.All.

But then now you said

I still do not understand why the flask app is not working

can you be more specific on which page is not working:

• what is the expected behavior,
• what did you see instead?

Those information are even more important EVERY TIME, when/if you tend to switch to a new topic in this same conversation thread.

[SanjeevKumar300]

Hi, Here is the file explaining the flow and the issue I hope this would be suf Azure_B2C_Tenant_Flask_app_Issue.docx ficient to help to fix the issue

Also was not clear what to mention in the end point. I am trying the same app which is in the git hub

This is the resource that you are going to access in your B2C tenant

ENDPOINT = ''

These are the scopes that you defined for the web API

SCOPE = ["demo.read", "demo.write"]

[rayluo]

@nickgmicrosoft please help confirm what to be setup as B2C API scopes, based on the screenshots in the docx file above. I suspect that:

• our customer would need to use the "Application ID URL" of "Expose an API" page as their API url (which then need to be configured into the ENDPOINT = '...' part in this sample.
• And then it is somewhat confusing that the scopes string in "API permissions" page does not visually match the scope strings in "Expose an API" page. @SanjeevKumar300 you might as well try to configure the entire SCOPE = ["https://orxagridb2.../api/demo.read", "https://.../api/demo.write"].

[mmacy]

@rayluo @SanjeevKumar300 @nickgmicrosoft For now, let's remove the API from the equation so that you can get sign-up/sign-in, profile edit, and logout working.

In app_config.py, set SCOPE to an empty array:

SCOPE = [] # ["demo.read", "demo.write"]

Now run the application and see if you can log in. I've just tested this locally and it functions as expected for signup/signin, profile edit, and logout.

We obviously have more debugging to do with this sample, but I expect the ENDPOINT and SCOPE values would be in this format:

ENDPOINT: "http://localhost:5001/hello"
SCOPE = ["https://{b2c-tenant-name}.onmicrosoft.com/api/demo.read"]

Now, this assumes that you actually have a web API application up and running on http://localhost:5001 and available for requests at the /hello endpoint. What the README doesn't currently do is walk you through getting a web API up and running so that you can test this end-to-end.

For now, @SanjeevKumar300, see if you can get just the login portion working by specifying an empty array for the SCOPE value. We'll need to investigate further on how best to present the API portion of this sample and make it rock solid for devs getting started with this.

---

EDIT: Also, make sure that you:

• Rename the original app_config.py to something like app_config.py.OLD
• Rename app_config_b2c.py to app_config.py
• Specify your tenant and application registration values in the newly renamed app_config.py

I'm calling this out specifically because of this error you say you received:

And if try to run the app using http://localhost:5000 I am getting another error Login Failure invalid_request AADB2C90117: The scope 'User.ReadBasic.Al' provided in the request is not supported. Correlation ID: b7fbb865-a82d-46f6-9148-2ede5ed1f3e4 Timestamp: 2020-06-02 07:20:56Z

The User.ReadBasic.All scope appears in the original (non-B2C) app_config.py, so I want to make sure you're using the right one.

[SanjeevKumar300]

Hi @nickgmicrosoft now I can see the sign-sign off page. When I click sign-in with valid user name and password. I getting another error. In this section of the code

result = _build_msal_app(cache=cache).acquire_token_by_authorization_code( request.args['code'], scopes=app_config.SCOPE, # Misspelled scope would cause an HTTP 400 error here redirect_uri=url_for("authorized", _external=True)) if "error" in result: return render_template("auth_error.html", result=result)

the error is : Login Failure invalid_grant AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 6772e87e-f2a4-4d19-bc60-1a0f75b4b3fd Timestamp: 2020-06-05 08:38:47Z

I suspect it is because of python flaks app script because if I use redirect uri = https://jwt.ms and test user flow signin_signoff inside Azure AD B2C then Authentication token is returned.

If replace the redirect uri with http://localhost:5000/getAToken then I getting the above error invalid_grant AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 6772e87e-f2a4-4d19-bc60-1a0f75b4b3fd Timestamp: 2020-06-05 08:38:47Z

[mmacy]

@SanjeevKumar300 One thing I noticed in your screenshots in the Word doc is that you're adding API permissions and exposing an API on the same application registration in the Azure portal--this is an incorrect configuration.

Instead, you need two app registrations, one for the API, and one for the web app:

1. Register a new application, solarpvapi. Expose permissions via Expose an API in this app registration that represents your web API.
2. Grant permissions to that web API in API permissions in the app registration that represents your web app, solarpvapp. Also, remove the scopes you currently have exposed in the solarpvapp.

Each application must be represented by its own app registration, and you expose the scopes on the API registration, and grant permission to those scopes in the web app registration.

[SanjeevKumar300]

Hi @mmacy thanks for reply. Based on your inputs registered the webapi by following the instructions in https://docs.microsoft.com/en-in/azure/active-directory-b2c/tutorial-desktop-app-webapi?tabs=app-reg-ga%2Capp-reg-preview, finally I end up with the same error the error is : Login Failure invalid_grant AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 6772e87e-f2a4-4d19-bc60-1a0f75b4b3fd Timestamp: 2020-06-05 08:38:47Z put lot effort and time for the last couple of days but couldn't fix the issue.

I have also raised new support request because there is back and forth messages exchanged but so far the issue is not been able to fix also my experience that the readme files sometimes code is not maintained by Microsoft which causes the developers to spend lot of time without resolving the issue. I had same experience with another git hub repository on running batch job using VM.

The best would have been to connect remotely expert like you from Microsoft and fix the issue

[rayluo]

(Cleaning up old open issues) Since we were not able to reproduce this with the sample in our test B2C tenant, we believe that "invalid_grant AADB2C90085: The service has encountered an internal error." symptom was more on the service endpoint side than on this sample.