Microsoft-authentication-library-for-dotnet: TokenCache doesn't work with B2C authorities after migrating to MSAL 2.0.0-preview

As far as I know, the migration path is from ADAL 3.* to MSAL 2 or from ADAL 4.* to MSAL 2, not from MSAL 1.* to MSAL 2. @jmprieur to confirm

Yes, the MSAL 1.x cache is not compatible (this was not a promise: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet#important-note-about-the-msal-preview).

The ADAL 3.x and ADAL.4x caches are compatible with MSAL .2.x with a bit of work (See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/msal-net-2-released#you-can-enable-sso-between-adalnet-3x-applications-adalnet-4x-applications-and-msal-on-the-same-platform)

But here @Daniel-NP do I understand correctly that even after you signed-in users, the cache is empty ?

Also @Daniel-NP : do you have a sample where we could repro the issue?

@jmprieur: how can i see that the cache is empty?
When I call this
AuthenticationResult = await PCA.AcquireTokenAsync(scopes, App.Services.UiParent); var accounts = await PCA.GetAccountsAsync(); the accounts are empty.

I'm using the Azure B2C service and MSAL on my client. So I don't think I use ADAL at all.
Here is my AuthenticationService.

@Daniel-NP : I realize you are using MSAL and not ADAL (was giving you the information about the cache migration, but indeed, for B2C, this is not relevant)
Does AcquireTokenAsync works (is there a IAccount in the authentication result)?

Since; from what I understand, you can customize which claims need to appear in the B2C token, I suspect that the token received by B2C is missing claims that the token cache is looking for. Adding @henrik-me @SomkaPe @jennyf19 who might know a bit more.
Also adding @parakhj as a heads-up

Can you please tell me about which claims are in your token? (for instance by copying the access token to https://jwt.ms)

I'm currently preparing a sample application. Is it possible for you to use your own azure b2c credentials or do I need to share my credentials with you?

The AccessToken looks like this (personal data replaced with '_')
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"iss": "https://login.microsoftonline.com/_________________________________/v2.0/",
"exp": 1535558046,
"nbf": 1535547246,
"aud": "_________________________________",
"idp": "live.com",
"name": "D_____ R_____",
"sub": "____________________________",
"emails": [
"[email protected]"
],
"tfp": "B2C_1_local-Signup-Signin-Policy",
"scp": "read write",
"azp": "________________________________",
"ver": "1.0",
"iat": 1535547246
}.[Signature]

EDITS:

• Sample for repro: https://github.com/Daniel-NP/XamarinTest
• On my AzurePortal the checked Application claims are "Display Name", "Email Addresses" and "Identity Provider".
• The IAccount from my AuthenticationResult is there after AcquireTokenAsync(), HomeAccountIdhas Values, but Usernameis null.

@jmprieur @Daniel-NP : You will likely benefit from looking at the log. There are 2 claims required to be able to cache, those are unfortunately not part of the default B2C setup. @parakhj was on point to help ensure this happened. The log will tell you which two claims needs to be there.

@Daniel-NP : I was able to repro it. (in other B2C tenants as well)
What I observe is that:

• I can get a token interactively (both an access token and an idToken), but the Account member of the AuthenticationResult has the following characteristics (different from what we have for the AAD tokens):
  
  
  
  • the Username is null
  
  
  • the AccountId's ObjectID contains the policy : ObjectId = "-b2c_1_susi"
    
    Then indeed, as you observed, this account is not added to the token cache.
  
  

Also the claims included in the idToken are different than the claims included in the AAD idToken, and I believe some of them are needed for indexing the cache

We are working on a solution, meanwhile, I'll advise that you to keep using MSAL 1.1.4 -preview.. We'll update you with this GitHub issue.

Thanks again for reporting and sharing your repros.
I'm renaming the issue to have B2C in the title

@Daniel-NP : we are working with the B2C team to get this addressed. the workaround for now is to setup the claim mapping. @trwalke will keep this thread updated on our progress.

Added it to the MSALNET 2.0.0-preview known issues. The explanation and the work around are available in https://aka.ms/msal-net-token-cache-index-keys

This was also raised as a sample issue in active-directory-xamarin-native-v2 issue #38

We have implemented a fix for this issue and we are planning to release within the next week or so

@trwalke That would be perfect! Could you please update the sample code-s as well. It would help a lot.

@TuroczyX Will do. in the meantime, we have released a hotfix for this https://www.nuget.org/packages/Microsoft.Identity.Client/2.0.1-preview