[Bug] Authorization code is truncated causing error AADB2C90090: The provided JWE is not a valid 5 segment token.

[NickVandewalle]

Which Version of MSAL are you using ? 4.30.1

Platform .NET Framework 4.7.2

What authentication flow has the issue? Desktop / Mobile Interactive

Is this a new or existing app? An existing app with a new implementation of B2C.

Repro

• Create a custom B2C policy that enriches the JWT with application-specific claims.
• Acquire a token via AcquireTokenInteractive with the nativeclient redirect uri.
• The redirect uri + authorization code exceed 2084 characters.
• The code at WindowsFormsWebAuthenticationDialogBase can only read the truncated code instead of the full authorization code.
• When exchanging the authorization code for a token the application throws the titular exception.

Expected behavior A large set of claims should not cause an exception to occur.

Actual behavior The authorization code gets truncated whenever the claims cause the authorization code to exceed a certain size.

Additional context/ Logs / Screenshots AAD90090_Logging.txt

This issue is very similar to #2515 so it could be that this is a duplicate.

[jmprieur]

@NickVandewalle are you using the system browser? (I'm assuming yes, with B2C)?

[NickVandewalle]

@jmprieur Yes, indeed.

[jennyf19]

@NickVandewalle do you have a repro you can share?

[jennyf19]

@NickVandewalle have opened an ICM on B2C, as per direction from their team.

[NickVandewalle]

@jennyf19 I've made a repro.

What this repro does is:

• Shows a slimmed down version of our internal test client.
• The sign-in calls a policy made explicitly for this repro.
• That policy does an API call to fetch data for a specific claim (key: 'SomeValue').
• We've made two throwaway accounts for this repro case, credentials can be found within the source code (see MainViewModel ctor).
• One account (msal2607.long) will get a very large string for the 'SomeValue' claim and get an exception, the other account (msal2607.short) will only get a short string.
• The .long will fail every time, the .short will succeed every time.

If there's an issue with the repro, just let me know and I'll try to help.

Edit: FYI: I've noticed that I get an error after fetching the nugets for the first time. restarting visual studio seems to fix this.

[jennyf19]

thanks @NickVandewalle, i passed this info on to the B2C side.

[jennyf19]

@NickVandewalle B2C is having difficulties getting a repro on this...is it still an issue?

[NickVandewalle]

@jennyf19 Yes, still an issue.

I have just now successfully reproduced this via the attached repro case. Is the B2C team not able to simulate the exception via the repro case? Or do they have issues getting the solution to run in general (Because I also had to restore the nugets manually and reopen visual studio for some reason)?

[jennyf19]

@NickVandewalle can you send me an email and I'll get you in touch w/the b2c side working on this. they need more specific info, if that's okay with you. jeferrie@microsoft.com

[pmaytak]

Hi @NickVandewalle Please see my investigation in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2743#issuecomment-877583645 Could you try some of these workarounds?

• Use default system browser instead of the embedded ones System browser wiki
• Use WebView2 embedded browser WebView2 wiki
  • WebView2 works better on .NET Core, so it would be better if you can upgrade.
  • Otherwise, if you run into WebView2 related issue in Net Fx, there's a workaround in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2482#issuecomment-878619630