Open Halfpint-Code opened 4 years ago
oldalton
commented
4 years ago Yes, this issue seems related to the issue you linked. When requesting a token from MSAL for B2C, you need to make sure you're passing a valid scope that is registered in your tenant. Can you please let us know what kind of scopes are you providing to MSAL in your request?
sudolibre
commented
4 years ago FWIW i'm running into the same issue trying to get this to work in a scenario where we're only using it for identity and only passing the clientId for scopes. We get a good response from the server with access token and id token but the scope returned from b2c is "/".
Halfpint-Code
commented
4 years ago @oldalton Thanks for the reply, we are providing only the clientID as the current scope. This worked when we were using ADALiOS and currently works on the Android ADAL I mentioned earlier. So I assume this is a valid scope.
sudolibre
commented
4 years ago A workaround seems to be going to Applications (not App Registrations (Preview)) and adding a dummy scope to published scopes then adding the scope you just created in the API Access menu option right above published scopes. In the app remove the client id from scopes and add the Full Scope Value from the published scope you just created.
oldalton
commented
4 years ago We are tracking a similar feature gap here: https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/852. And yes, adding a scope should resolve it since MSAL tries to validate whether it received all scopes that app requested in the response or not.
Halfpint-Code
commented
4 years ago Thanks for the info. We are going to look into the workaround and see if we can get that working.
antrix1989
commented
4 years ago Hi @Halfpint-Code, did you have a chance to take a look at this issue?
Halfpint-Code
commented
4 years ago Yes, we did last Friday. We were able to get a token that works back by using the workaround provided by sudolibre. I have been working today to try to rebuild our methods for logging in based on the new framework. Thanks.
Was curious though, this was added to that feature gap. Does that mean the workaround will break if this gets fixed in a future update?
antrix1989
commented
4 years ago Thanks for confirming. This workaround will continue working in future version of the library.
Hello, Implemented MSAL in our app. I am getting the error:
[b2cApplication acquireTokenWithParameters:interactiveParams: completionBlock:]
(lldb) po error 2020-03-04 09:18:27.431739-0600 RemoteInventory[4479:4223872] XPC connection interrupted Error Domain=MSALErrorDomain Code=-50003 "(null)" UserInfo={MSALDeclinedScopesKey=( "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ), MSALGrantedScopesKey=( "/" ), MSALErrorDescriptionKey=Server returned less scopes than requested, MSALInvalidResultKey=<MSALResult: 0x1c02adb00>}
Myself and our backend developer have both looked into this a little. We found the following link but not sure it helps. https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/393
I added the error handling when the error happens to try to grab the token silently with the granted scopes as suggested in another link, but there are no granted scopes and it fails again.
Do you know of any settings off-hand that might be affecting this that we should look into?
We are currently using com.microsoft.aad:adal:2.0.1-alpha with no issues right now. If we can get this working on iOS with MSAL, I believe we will likely be updating that as well for consistency.
Thanks