Microsoft-authentication-library-for-dotnet: MsalServiceException AADSTS50049 when targeting B2C

Created on 9 Oct 2018  路  27Comments  路  Source: AzureAD/microsoft-authentication-library-for-dotnet

I just migrated our code to MSAL 2.2.0 and also changed to use the b2clogin.com domain instead of the login.microsoft.com domain we were using before.

I cannot seem to figure out how to construct the correct authority string. Here is what my code currently looks like:

private const string mTenant = "ideliverableb2c.onmicrosoft.com";
private const string mClientId = "d77e...caa6"; // Obfuscated here
private const string mSignInPolicyName = "B2C_1_si";

private PublicClientApplication mClientApplication =
    new PublicClientApplication(mClientId, authority: $"https://ideliverableb2c.b2clogin.com/tfp/{mTenant}/{mSignInPolicyName}")
    {
        RedirectUri = $"msal-{mClientId}://auth",
        ValidateAuthority = false
    };

I have tried various different ways to format the authority string, but no matter what I do I get the same exception when I call mClientApplication.AcquireTokenAsync():

Microsoft.Identity.Client.MsalServiceException: AADSTS50049: Unknown or invalid instance.

Response body:

{
    "error":"invalid_instance",
    "error_description":"AADSTS50049: Unknown or invalid instance.\r\nTrace ID: 6b61d006-7a2a-4b7e-b497-3cd6d9dc3800\r\nCorrelation ID: 78054f61-e0a9-4685-b761-64bc728ff90d\r\nTimestamp: 2018-10-09 19:28:23Z",
    "error_codes":[50049],
    "timestamp":"2018-10-09 19:28:23Z",
    "trace_id":"6b61d006-7a2a-4b7e-b497-3cd6d9dc3800",
    "correlation_id":"78054f61-e0a9-4685-b761-64bc728ff90d"
}

What am I doing wrong here?

B2C Fixed Investigate external
Source
picture DaRosenberg

Most helpful comment

It is also useful to specify that the Authority url should be like :

https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/v2.0/.well-known/openid-configuration

(never properly mentioned in any documentation)

picture lybax on 19 Feb 2019
👍2

All 27 comments

@jennyf19 In response to your comments:

Yes, did read the docs. And yep, I'm aware that I'm formatting my redirect URI differently than the docs do, but I double checked to make sure that's not the issue.

I did some debugging by cloning your repo, and I think the problem might be here:
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/blob/dev/core/src/Instance/AadInstanceDiscovery.cs#L99-L101

Because ideliverableb2c.b2clogin.com is not in the list of trusted hosts, the code falls back to the default trusted hosts, which is login.microsoftonline.com and as a result the HTTP error is returned by the first call to discover instances. Suspect this might be the issue?

DaRosenberg picture DaRosenberg on 9 Oct 2018

@DaRosenberg Thanks
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/1314

jennyf19 picture jennyf19 on 9 Oct 2018

@DaRosenberg I was able to repro this. Will meet w/B2C team tomorrow and get back to you. Thanks for bringing up this issue.

jennyf19 picture jennyf19 on 10 Oct 2018

The instance discovery is not part of our client code, and needs to be fixed elsewhere. Still working on that...will update when we have meaningful information to share.
@DaRosenberg

jennyf19 picture jennyf19 on 11 Oct 2018

@jennyf19 thanks for the update. We have reverted back to using the login.microsoftonline.com URL for now, which still works, so we are not blocked on this particular issue, until that URL gets deprecated.

588 and #589 however are still blocking us from releasing - do you have an update whether those are planned to be addressed?

DaRosenberg picture DaRosenberg on 11 Oct 2018

Added external until B2C adds a discovery endpoint

jmprieur picture jmprieur on 11 Oct 2018

Any informations on when b2clogin will be possible or on how to use it at the moment?

AlexSchuetz picture AlexSchuetz on 22 Oct 2018

Would be great to have this resolved in next release! Working on a Xamarin.iOS application and this is blocking.

tmarkovski picture tmarkovski on 8 Nov 2018

@DaRosenberg @AlexSchuetz @tmarkovski
Fixed in latest release Msal2.4.0-preview.

jennyf19 picture jennyf19 on 10 Nov 2018
👍1

Hi, even with 2.4.0-preview I got same exception.

I've used "ValidateAuthority = false" and the following:

  • tenant.b2clogin.com/{Tenant}/
  • tenant.b2clogin.com/tfp/{Tenant}/

other changes to code or b2c settings are required?

fileman picture fileman on 10 Nov 2018

@jennyf19 I can confirm the same as @fileman - still getting the same exception.

I tried every variation of URL

  • https://[tenant_name].b2clogin.com/tfp/{Tenant_Guid}/{PolicySignUpSignIn}/v2.0/.well-known/openid-configuration
  • https://[tenant_name].b2clogin.com/tfp/{Tenant_Guid}/{PolicySignUpSignIn}/v2.0/
  • https://[tenant_name].b2clogin.com/tfp/{Tenant_Guid}/{PolicySignUpSignIn}/

With every combination of ValidateAuthority

tmarkovski picture tmarkovski on 10 Nov 2018

@fileman @tmarkovski - thanks for the info. Will get back to you on this.

jennyf19 picture jennyf19 on 11 Nov 2018

We are also experiencing this with a variety of

ValidateAuthority = false

tenant.b2clogin.com/{Tenant}/
tenant.b2clogin.com/tfp/{Tenant}/policy

2.4.0-preview: (date published: Friday, November 9, 2018 (11/9/2018))

mixxit picture mixxit on 14 Nov 2018

@fileman @tmarkovski @mixxit - Can you send me a fiddler trace and the tenant ([email protected])? Thanks.
Also, do you have the identity providers set up correctly?

jennyf19 picture jennyf19 on 16 Nov 2018

@tmarkovski @fileman @mixxit Thanks for your patience while we sort this out. The issue is with the GetAccountsAsync() method, which is making a network call to the instance discovery endpoint. See this issue. If this method runs before the AT call, then you'll get the eSTS exception you are seeing. We are working on a fix for this, as it impacts the cache, we need to coordinate with the other platforms before making changes, but this is high priority (as other customers have reported the need for GetAccountsAsync() to work offline) and we will hope to have a release out as soon as we can.

I will keep you posted on the progress. Thanks again for reporting and your patience.
cc: @jmprieur

jennyf19 picture jennyf19 on 16 Nov 2018
👍1

@tmarkovski @fileman @mixxit updates are in dev, if you want to try it out. we will release with these changes very soon. thanks.

jennyf19 picture jennyf19 on 20 Nov 2018

@DaRosenberg @tmarkovski @fileman @mixxit
Fixed in MSALv2.5.0-preview

jennyf19 picture jennyf19 on 21 Nov 2018
👍1

Fixed in MSALv2.5.0-preview

Works like a charm. Thank you!

tmarkovski picture tmarkovski on 23 Nov 2018
👍1

It is also useful to specify that the Authority url should be like :

https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/v2.0/.well-known/openid-configuration

(never properly mentioned in any documentation)

lybax picture lybax on 19 Feb 2019
👍2

@lybax actually no, the Authority URL should not have /v2.0/.well-known/openid-configuration
It should be https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY

Do you think that we should make the following clearer: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#authority-for-a-b2c-tenant-and-policy ?

jmprieur picture jmprieur on 19 Feb 2019
👍1

@jmprieur, you are right.
My mistake, I was in this case referring to the OpenIdConnectAuthenticationOptions.MetadataAddress, but in both case "tfp" seems to be mandatory.

lybax picture lybax on 19 Feb 2019

https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/v2.0/.well-known/openid-configuration
This needs to be put in BIG, BOLD LETTERS on all the documentation and examples. It took me a day to find this. None of the old examples on GitHub work anymore with Azure B2C. It wasn't until I used this new authority URL that I got my code, and the examples, to work.

DonaldAirey picture DonaldAirey on 8 Apr 2019

@GammaFour Which version of MSAL are you using?

jennyf19 picture jennyf19 on 8 Apr 2019

and which sample @GammaFour ?

jmprieur picture jmprieur on 9 Apr 2019

WithAuthority now has an overload of sorts, WithB2CAuthority. While I was using a properly-formatted authority (https://TENANT.b2clogin.com/tfp/TENANT.onmicrosoft.com/POLICY/), I continued to get the error:

"B2C 'authority' Uri should have at least 3 segments in the path (i.e. https://<host>/tfp/<tenant>/<policy>/...)"

Thankfully, the sample here showed the overload. Once I started using it, I was able to get connected.

yodies picture yodies on 13 Jan 2020

@jmprieur i'm trying to use this (https://github.com/Azure-Samples/ms-identity-javascript-v2) sample and can only get 50049. My authority uri is: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/tfp/B2C_1A_Samssignup_signin. I can see the browser makes a request to https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/tfp/b2c_1a_samssignup_signin/oauth2/v2.0/authorize.

The authorization_endpoint does not match match the _OAuth 2.0 authorization endpoint (v2)_ uri shown in the portal. In the portal theres no tfp.

Removing tfp/ made no difference.

worldspawn picture worldspawn on 30 Jun 2020

Hi @worldspawn - this is the repo for MSAL .NET. Please open an issue on MSAL .js (https://github.com/AzureAD/microsoft-authentication-library-for-js) or directly on the sample.

bgavrilMS picture bgavrilMS on 30 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

stweedie picture stweedie  路  3Comments
bemartin picture bemartin  路  3Comments
yhvicey picture yhvicey  路  3Comments
jmprieur picture jmprieur  路  4Comments
23W picture 23W  路  5Comments