Angular-auth-oidc-client: athash is not returned in code-flow by Azure B2C failing validation.

@msdate Thanks for reporting. I will validate this. We have with other STS as well. Does it work now with your fix, from the PR?

I will update the B2C sample to code flow then, if the code flow is supported and works.

Thanks Damien

@msdate I tested this, and had to add a small change to make B2C work. Have everything now working in a PR. Testing and validating now, and will release this in 11.0.2

For Azure B2C, we made the following changes to manifest, and added type Spa, this option will not need to configure secrets and is working.
The configured options that work for us.
return oidcConfigService.withConfig({
......
scope: 'openid',
responseType: 'code',
autoUserinfo: false
....})
"replyUrlsWithType": [
{
"url": "http://localhost:4200/",
"type": "Spa"
}
]

I had to add another option to deactivate the auth_time in the id_token of the refresh session. Azure B2C have not implemented the spec correctly. I just used a native client as the app type, and you don't require a secret either. I have a refresh session using refresh tokens.

We had a question on the 3 sec check for the refresh token, does the above fix eliminate these? Also how do the refresh token reissue work, is this polled on a fixed duration for evaluation, or it is triggered when the token is due to expire (approaching expiry) rather than on a polling basis?

Thanks again for the quick fix on this issue.

Yes the refresh works with the fix.

The check does not poll the server, but just checks it's locally stored tokens every 3 seconds. When either the id_token or the access token expires or if you have it configured, with the renew x secs before it expires, then it sends a refresh session request. This then gets new tokens. If using refresh tokens, the refresh tokens should only be used once, and should be revoked on logout. I'll add this to the example.

Greetings Damien

So after testing, the renew works, BUT Azure B2C does not support the revocation endpoint so you cannot revoke the tokens when logging out. This is dangerous because if the refresh token gets stolen, you have a big problem. Until Azure implements this, I would not recommend renewing with refresh tokens in an SPA. Also one time refresh token usage should be used.

The silent renew using iframes also doesn't work. The is blocked by Azure. And Azure B2C does not implement the refresh id_token auth_time claim correctly.

So, it works, but has holes.

Greetings Damien

Updated the example now to use silent renew with an iframe and this works work Azure B2C. The sample is complete now with Code FLow and PKCE and silent renew.

https://github.com/damienbod/angular-auth-oidc-client/blob/master/docs/samples.md#azure-b2c-code-flow-pkce-with-silent-renew

I think this solves this issue now. I'll release the 11.0.2 version after some testing tomorrow or soon after that.

Thanks for reporting

Greetings Damien

We understand that the check is local - during the issue of token the provider will give expiry info. However, we were curious if we need to check every 3 seconds locally or is there a way we can defer this to a point where token approaches expiry.

In case of resource intensive applications - multi-cast observable displaying IOT data refreshing every few secs, this 3 sec check can be seen as something to be deferred for later, just to get the max of the client browser resources.

This could be possible, you could also just change the log level to warning, then no messages will be displayed

@msdate I will close this issue, the B2C is now completed and working, released in version 11.0.2. The 3 sec check interval is a separate issue, which I am undecided on yet. Is this good?, otherwise we can reopen.

Thanks for reporting.

Greetings Damien