search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 340 forks source link

Updated Claims are not present in Access or IDToken after a token is Refreshed #4645

Closed munkii closed 7 months ago

munkii commented 7 months ago

Library version used

4.36.1

.NET version

netstandard2.1 Xamsrin.Forms 5.0.0.2622

Scenario

PublicClient - mobile app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

We have a custom extension attribite defined as part of our B2C custom policies. We read that extension attribute from the IAuthenticationResult.IdToken and store than on the mobile device in Preferences store.

If that custom attribute is update after an inital authentication we would expect the new attribute values to appear in the IdToken after a RefreshToken is used to get a new AccessToken.

However that is not the case and we do not see the updated claims until the user logs out then logs in again. I have heard others mention this problem with other MSAL platforms and was wondering if it was supposed to work with Identity.Client in Xamarin.

Relevant code snippets

var account = await this.GetCurrentAccount();
var builder = this.pca.AcquireTokenSilent(scopes, account);
AuthenticationResult result = await builder.ExecuteAsync();

System.Diagnostics.Debug.WriteLine("Access Token has: " + (result.ExpiresOn - DateTimeOffset.UtcNow).TotalMinutes + " minutes");

var parsedIdToken = new JwtSecurityToken(result.IdToken);

Claim clinicFromIdToken = parsedIdToken.Claims.FirstOrDefault(c => c.Type == "extension_clinic");

if (clinicFromIdToken != null)
{
    System.Diagnostics.Debug.WriteLine("Clinics from ID Token: " + clinicFromIdToken.Value);
}

var parsedAccessToken = new JwtSecurityToken(result.AccessToken);

var clinicsFromAccessToken = parsedAccessToken.Claims.FirstOrDefault(c => c.Type == "extension_clinic");

if (clinicsFromAccessToken != null)
{
    System.Diagnostics.Debug.WriteLine("Clinics from Access Token: " + clinicsFromAccessToken.Value);
}

Expected behavior

I would expect to see the updated value of extension_clinic to be reflected in the new token. I can see the token getting updated based in the debug statement

(result.ExpiresOn - DateTimeOffset.UtcNow).TotalMinutes + " minutes")

Identity provider

Azure B2C Custom Policy

Regression

No response

Solution and workarounds

No response

munkii commented 7 months ago

We now have this working.

Our custom policies were missing the 'Endpoint' element in the Relying Party file for our B2C signup/signin custom policy. This meant that any extension claims were not being issued with the access tokens when our refresh token redemption journey ran.

We worked this out by following the comment thread of this answer in StackOverflow

See EndPoints element, https://learn.microsoft.com/en-gb/azure/active-directory-b2c/relyingparty#endpoints

bgavrilMS commented 7 months ago

Thank you so much for following up with the resolution @munkii