when using the following config:
public oidcSettings: any = {
userStore: new WebStorageStateStore({ store: window.localStorage, prefix: 'Auth' }),
authority: '',
client_id: '',
redirect_uri: window.location.origin + '/sign-in-callback',
automaticSilentRenew: true,
includeIdTokenInSilentRenew: true,
silent_redirect_uri: window.location.origin + '/sign-in-silent-renew',
response_type: 'code',
scope: 'openid profile',
post_logout_redirect_uri: window.location.origin + '/sign-in/sign-out',
filterProtocolClaims: false,
};
The library correctly receives a CODE from Azure B2C and then exchanges for a token.
{
"id_token": "ey...og",
"token_type": "Bearer",
"not_before": 1621968673,
"id_token_expires_in": 3600,
"profile_info": "ey...x9",
"scope": "openid",
"refresh_token": "ey..EA",
"refresh_token_expires_in": 86400
}
When i add an additional Scope to receive an additional accessToken, i get a CODE back from Azure B2C and then exchange it for some tokens:
{
"access_token": "eyJ...Q",
"id_token": "ey...3Pg",
"token_type": "Bearer",
"not_before": 1621968907,
"expires_in": 3600,
"expires_on": 1621972507,
"resource": "c6c4367d-93d6-42c1-931f-c2236b1afb04",
"id_token_expires_in": 3600,
"profile_info": "ey...Gx9",
"scope": "https://xxx/cyyy/AppAPI openid",
"refresh_token": "ey...cg",
"refresh_token_expires_in": 86400
}
I get the accessToken and idToken, but the code tries to get the userinfo_endpoint value from the accessToken which is not present and fails. I have verified and it is indeed not present nor in the idToken nor in the accessToken.
In the code, the "If" that triggers this behaviour when an accessToken is present looks like this (from ResponseValidator.js):
_processClaims(state, response) { if (response.isOpenIdConnect) { Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims");
response.profile = this._filterProtocolClaims(response.profile);
if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) { Log.debug("ResponseValidator._processClaims: loading user info");
Should there not be a check that only runs this code if an idToken was not received ?
Setting Setting.loadUserInfo = false seems to do the trick.
Is this a failure of the OIDC implementation in B2C, or an issue in this library ? or just a config that someone needs to know they have to activate when both tokens are received by the Token endpoint ?
Hello,
when using the following config: public oidcSettings: any = { userStore: new WebStorageStateStore({ store: window.localStorage, prefix: 'Auth' }), authority: '', client_id: '', redirect_uri: window.location.origin + '/sign-in-callback', automaticSilentRenew: true, includeIdTokenInSilentRenew: true, silent_redirect_uri: window.location.origin + '/sign-in-silent-renew', response_type: 'code', scope: 'openid profile', post_logout_redirect_uri: window.location.origin + '/sign-in/sign-out', filterProtocolClaims: false, };
The library correctly receives a CODE from Azure B2C and then exchanges for a token. { "id_token": "ey...og", "token_type": "Bearer", "not_before": 1621968673, "id_token_expires_in": 3600, "profile_info": "ey...x9", "scope": "openid", "refresh_token": "ey..EA", "refresh_token_expires_in": 86400 }
When i add an additional Scope to receive an additional accessToken, i get a CODE back from Azure B2C and then exchange it for some tokens: { "access_token": "eyJ...Q", "id_token": "ey...3Pg", "token_type": "Bearer", "not_before": 1621968907, "expires_in": 3600, "expires_on": 1621972507, "resource": "c6c4367d-93d6-42c1-931f-c2236b1afb04", "id_token_expires_in": 3600, "profile_info": "ey...Gx9", "scope": "https://xxx/cyyy/AppAPI openid", "refresh_token": "ey...cg", "refresh_token_expires_in": 86400 }
I get the accessToken and idToken, but the code tries to get the userinfo_endpoint value from the accessToken which is not present and fails. I have verified and it is indeed not present nor in the idToken nor in the accessToken.
In the code, the "If" that triggers this behaviour when an accessToken is present looks like this (from ResponseValidator.js):
_processClaims(state, response) { if (response.isOpenIdConnect) { Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims"); response.profile = this._filterProtocolClaims(response.profile); if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) { Log.debug("ResponseValidator._processClaims: loading user info");
Should there not be a check that only runs this code if an idToken was not received ?
Setting Setting.loadUserInfo = false seems to do the trick.
Is this a failure of the OIDC implementation in B2C, or an issue in this library ? or just a config that someone needs to know they have to activate when both tokens are received by the Token endpoint ?