Microsoft-authentication-library-for-dotnet: Azure AD B2C: Error: "AADSTS50049 Unknown or invalid instance"

~@mehamm @jennyf19
MSAL.NET doesn't support b2clogin.com. Working with the B2C team to find a way to make this work. ETA is currently unknown, however we are looking into it.~
(now supported)

Related to this issue

Any progress on this issue?
Is this expected to be resolved before login.microsoftonline.com is deprecated?

@mehamm Fix should be out in our next release, so later this week or early next week.

That's great news! Your follow-up is much appreciated.

Thank you.

@mehamm
Fixed in latest release Msal2.4.0-preview.

Same issue after updating to Msal2.4.0-preview

@mehamm Can you send me a fiddler trace and the tenant ([email protected])? Thanks.
Also, do you have the identity providers set up correctly?

@jennyf19 I am using Local accounts (by email) in Azure AD B2C - Identity Providers. I haven't set up any other social or custom providers.

Same issue occuring in the example app. Change the authority here to use b2clogin.com and you will get a not found error.
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/blob/master/UserDetailsClient/UserDetailsClient.Core/App.cs#L22

Did you use $"https://{TenantName}.b2clogin.com/{Tenant}" , @thutson ?
for instance $"https://{TenantName}.b2clogin.com/{TenantName}.onmicrosoft.com"

@jmprieur Yes, Also tried $"https://{TenantName}.b2clogin.com/{TenantID}/" and $"https://{TenantName}.b2clogin.com/tfp/{TenantID}/" and many other variations.

All errored with "Microsoft.Identity.Client.MsalServiceException: AADSTS50049: Unknown or invalid instance."

Have fallen back to $"https://login.microsoftonline.com/tfp/{Tenant}/" until this gets sorted out.

@mehamm @thutson Thanks for your patience while we sort this out. The issue is with the GetAccountsAsync() method, which is making a network call to the instance discovery endpoint. See this issue. If this method runs before the AT call, then you'll get the eSTS exception you are seeing. We are working on a fix for this, as it impacts the cache, we need to coordinate with the other platforms before making changes, but this is high priority (as other customers have reported the need for GetAccountsAsync() to work offline) and we will hope to have a release out as soon as we can.

For example, in the sample @thutson referred to, I removed the call to GetAccountsAsync() in the OnSignInSignOut() method and used this AT call, passing in the username as the login hint:

AuthenticationResult ar = await App.PCA.AcquireTokenAsync(App.Scopes, "someuser@{tenant}.onmicrosoft.com ", App.UiParent);

And this worked w/the new authority {tenant}.b2clogin.com/
We will have a fix out in the library. I will keep you posted on the progress. Thanks again for reporting and your patience.
cc: @jmprieur

@mehamm @thutson updates are in dev, if you want to try it out. we will release with these changes very soon. thanks.

@mehamm @thutson
Fixed in MSALv2.5.0-preview

Hello! Having this issue with version 3.0.8 on xamarin when calling AcquireTokenInteractive.

@OlimpiaMM -> Can you provide more details on your scenario and the exact error you are getting? Thank you.

I get a Microsoft.Identity.Client.MsalException exception with this ResponseBody :
{"error":"invalid_instance","error_description":"AADSTS50049: Unknown or invalid instance.rnTrace ID: 67af3461-7bdf-4107-a1c7-964b6ee04000rnCorrelation ID: 623e17c4-d41a-48a2-9a4f-c643e83d1d08rnTimestamp: 2019-05-07 06:19:16Z","error_codes":[50049],"timestamp":"2019-05-07 06:19:16Z","trace_id":"67af3461-7bdf-4107-a1c7-964b6ee04000","correlation_id":"623e17c4-d41a-48a2-9a4f-c643e83d1d08"}
when making the AcquireTokenInteractive call. I have updated from 1.1.2 preview version and changed the code according to documentation but now i get this error.

@olimpiaMM which authority do you use?

Found the problem and yes, was related to authority. I was using WithAuthority and now was needed to use WithB2CAuthority. Validate authority is default false for WithB2CAuthority?

Yes, B2C does not have a concept of instance discovery (because it has only 1 instance). So validateAuthority should be set to false. MSAL should do a better job of informing the developer that validateAuthority + B2C is not supported.

Raised https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1130 to improve customer experience.

@jennyf19 - this needs to be reopened. This is still an issue and the version of MSAL being used is 4.7.1.

Doing non-interactive, confidential app method to get a token and getting the same error. Calling ConfidentialClientApplicationBuilder.Create.WithAuthority and using the b2clogin.com format instead of the "announced as deprecated in less than 12 months" login.microsoftonline.com format.

Help! what to do, as WithB2CAuthority is not not valid as there are no user policies to apply as it is a system to system call.

@drewid can you elaborate about what is a system to system call? is it a Web API calling a Web API? (I'm assuming it's not using the On-behalf-of flow, as, as far as I know, it's not supported by B2C yet)

in essence a call from a daemon type system - in this case calling from Azure Functions. Works with login.microsoftonline.com but not tenantname.b2clogin.com. It should be interchangeable but isn't. login.microsoftonline.com is going away.

@drewid : Azure AD B2C does not support daemon apps. B2C is about users only (not about app identities)
cc: @jennyf19

@jmprieur - that's not true - AD B2C absolutely supports Confidential Client applications. My issue is being able to use the url format with MSAL

@drewid : B2C does support confidential client applications: Web apps and Web APIS
but not daemon applications.

I have a whole lot of additional processing and the need to query and interact with AD B2C that I can do with ADAL but can't with MSAL using b2clogin.com (but can with login.microsoftonline.com).

What am I missing? Azure functions should work just fine. How would that actually be different from web apis?

Either way you run with a 1) application id and 2) application secret. Confidential application should be confidential application. AD B2C actually has a lot of information about what could be done to do extra processing or interactions with other systems.

The kicker here still is - I can do what need to do with login.microsoftonline.com with MSAL - I can't do it with the format of b2clogin.com. What is missing and why? Am confused.

@drewid : when you write that you can do with login.microsoftonline.com, do you mean that you can get a token for the daemon app (AcquireTokenForClient) when using Azure AD. What authority did you use?
Then I also understand that when you try with a B2C authority this does not work.

Can you please share code and repro steps so that we help you?
(or raise a different issue, as this one is definitively fixed)

.WithB2CAuthority requires user policy so doesn't apply with ConfidentialClient

Instead the following is being used:
.WithAuthority(new Uri(String.Format(CultureInfo.InvariantCulture, _azureSettings.AADAuthority, _azureSettings.ADB2CTenantId)))

login.microsoftonline.com works for the authorityUri but tenantname.b2clogin.com does not.

@drewid there is a confusion here. Confidential clients does not mean client credentials, which is the flow used by daemon apps. WithB2CAuthority does apply to Web apps and Web APIs that process users (and they are confidential client). It does not apply to client credentials because 'client credentials'='daemon apps' is not supported by Azure AD B2C.

login.microsoftonline.com is the authority based for Azure AD, not for AzureAD B2C. This means you have a daemon application that works with Azure AD (like shown in this sample: https://github.com/azure-samples/active-directory-dotnetcore-daemon-v2

Would it help you to have a call?

would be great - as I need to have AD B2C working now without user interaction. I believe there is a whole page outlining how that works. AD B2C "needs" for it to be able to be interacted not by users for it to be useful. Anything at scale needs system to system interactivity and the ability to connect with the underlying AD.

@drewid can you send us an email and we'll set something up with you? [email protected] & jean-marc.[email protected]

@jennyf19 I am finally able to come back to this issue and will be following up.

My main point is there should be feature parity for AD B2C when switching from the login.microsoftonline.com format to tenant.b2clogin.com format.

I can interact without user context all day long with login.microsoftonline.com but cannot with tenant.b2clogin.com.

I have azure functions that are being called which need to interact and take action with ADB2C but am currently stuck.

@vigunase @ktsakas can you assist here? Thx.

@drewid - please open another issue, this one is too long and has been closed a long time ago. It most likely that the problem you are encountering is subtlety different than this one.