[FEATURE REQ] Angular connected to Azure B2C - The issuer B2C is not registered in trusted issuer repository

[steve-cardenas]

While working on an Angular App connected to Azure B2C, I received the next exception while calling the Java API.

THE EXCEPTION WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The issuer: 'https://abc.b2clogin.com/e761f276-37f8-499d-aaec-47801cdea4d1/v2.0/' is not registered in trusted issuer repository, so cannot create JWSKeySelector.", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

I was reviewing the issuer generation process and noticed a difference.

When I used the client's credentials, the "iss" value was set to "https://login.microsoftonline.com/e761f276-37f8-499d-aaec-47801cdea4d1/v2.0". However, when I used my Angular app, the "iss" value changed to "https://abc.b2clogin.com/e761f276-37f8-499d-aaec-47801cdea4d1/v2.0/".

package com.azure.spring.sample.aad.b2c.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
@EnableMethodSecurity
public class ResourceServerConfiguration {

    @Bean
    public SecurityFilterChain htmlFilterChain(HttpSecurity http) throws Exception {
        JwtAuthenticationConverter authenticationConverter = new JwtAuthenticationConverter();
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix("APPROLE_");
        authenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);

        http.csrf().disable() 
            .authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
            .oauth2ResourceServer()
            .jwt()
            .jwtAuthenticationConverter(authenticationConverter);

        return http.build();
    }
}

application.yml

spring:
  cloud:
    azure:
      active-directory:
        b2c:
          enabled: true
          profile:
            tenant-id: e761f276-37f8-499d-aaec-47801cdea4d1
          credential:
            client-id: 756fbf55-2f45-4c9a-a9c6-599a8008c4dd            # If you are using v2.0 token, please configure client-id for `aud` verification
          app-id-uri: https://tenant.onmicrosoft.com/Java-webapi        # If you are using v1.0 token, please configure app-id-uri for `aud` verification
          base-uri: https://tenant.b2clogin.com          # Such as: https://xxxxb2c.b2clogin.com
          user-flows:
            sign-up-or-sign-in: B2C_1_sigin-signup

---

[Netyyyy]

Hi @steve-cardenas , could you help provide a minimal project for that error? And how do you get the token from client's credentials and Angular app which makes the iss different, could you provide more information thanks.

[steve-cardenas]

I am using the code of the following application for the front-end in Angular.

https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/ENG

The parameters for the front-end are similar to these:

https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/3-Authorization-II/2-call-api-b2c/SPA/src/app/auth-config.ts

import { LogLevel, Configuration, BrowserCacheLocation } from '@azure/msal-browser';

const isIE = window.navigator.userAgent.indexOf("MSIE ") > -1 || window.navigator.userAgent.indexOf("Trident/") > -1;

export const b2cPolicies = {
    names: {
        signUpSignIn: 'B2C_1_sigin-signup',
        resetPassword: 'B2C_1_reset',
        editProfile: 'B2C_1_edit_profile',
    },
    authorities: {
        signUpSignIn: {
            authority: 'https://nametenant.b2clogin.com/nametenant.onmicrosoft.com/B2C_1_sigin-signup',
        },
        resetPassword: {
            authority: 'https://nametenant.b2clogin.com/nametenant.onmicrosoft.com/B2C_1_reset',
        },
        editProfile: {
            authority: 'https://nametenant.b2clogin.com/nametenant.onmicrosoft.com/b2c_1_edit_profile',
        },
    },
    authorityDomain: 'nametenant.b2clogin.com',
};

export const msalConfig: Configuration = {
    auth: {
        clientId: '41e57c38-009d-4254-aa6d-b1d6d63f0e63', // This is the ONLY mandatory field that you need to supply.
        authority: b2cPolicies.authorities.signUpSignIn.authority, // Defaults to "https://login.microsoftonline.com/common"
        knownAuthorities: [b2cPolicies.authorityDomain], // Mark your B2C tenant's domain as trusted.
        //validate prod 
        redirectUri: '/auth', // Points to window.location.origin by default. You must register this URI on Azure portal/App Registration.
        postLogoutRedirectUri: '/', // Points to window.location.origin by default.
    },
    cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage, // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.
        storeAuthStateInCookie: isIE, // Set this to "true" if you are having issues on IE11 or Edge. Remove this line to use Angular Universal
    },
    system: {
        /**
         * Below you can configure MSAL.js logs. For more information, visit:
         * https://docs.microsoft.com/azure/active-directory/develop/msal-logging-js
         */
        loggerOptions: {
            loggerCallback(logLevel: LogLevel, message: string) {
                console.log(message);
            },
            logLevel: LogLevel.Verbose,
            piiLoggingEnabled: false
        }
    }
}

I am using the code of the following application for the Back-end in Java:

https://github.com/Azure-Samples/azure-spring-boot-samples/tree/main/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server

The parameters for the back-end are similar to these:

https://github.com/Azure-Samples/azure-spring-boot-samples/blob/main/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server/src/main/resources/application.yml

spring:
  cloud:
    azure:
      active-directory:
        b2c:
          enabled: true
          base-uri: https://NameTenant.b2clogin.com/NameTenant.onmicrosoft.com            # Such as: https://xxxxb2c.b2clogin.com
          profile:
            tenant-id: e761f276-37f8-499d-aaec-47801cdea4d1
          app-id-uri: https://NameTenant.onmicrosoft.com/Java-webapi  # If you are using v1.0 token, please configure app-id-uri for `aud` verification
          credential:
            client-id: 756fbf55-2f45-4c9a-a9c6-599a8008c4dd          # If you are using v2.0 token, please configure client-id for `aud` verification
          user-flows:
            sign-up-or-sign-in: B2C_1_sigin-signup

[Daantie]

@Netyyyy are there any updates on this?

I'm running into the same issue. I tried different versions of the maven spring-cloud-azure-starter-active-directory-b2c package compatible with Spring Boot 2.7.x and 3.x but without success. It keeps giving the "is not registered in trusted issuer repository, so cannot create JWSKeySelector." error.

I think what OP means is that when a microsoftonline url is configured as issuer in the Java app it is automatically translated to a b2clogin url (at least that's what I think).

[Netyyyy]

Hi @Daantie , thanks for asking. This issue is in our backlog. Please vote for this feature so we could prioritize it.

[Daantie]

/vote