Microsoft-authentication-library-for-dotnet: B2C ROPC fails trying to do user realm discovery

@mrochon : Before we investigate further, could you please check if MSAL 3.0.0-preview fixes it (
See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/820 (which was fixed in MSAL 3.0.0-preview). This is a major version change so there can be breaking changes in some scenarios (Username/password should be ok if you keep using the MSAL v2.0 API style. For detail see https://aka.msa/msal-net-3x)

No, MSAL 3.0.0 gives the same result: fails on user realm discovery.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jean-Marc Prieur notifications@github.com
Sent: Thursday, February 28, 2019 4:56:08 PM
To: AzureAD/microsoft-authentication-library-for-dotnet
Cc: MariusR; Mention
Subject: Re: [AzureAD/microsoft-authentication-library-for-dotnet] B2C ROP fails trying to do user realm discovery (#926)

@mrochonhttps://github.com/mrochon : Before we investigate further, could you please check if MSAL 3.0.0-preview fixes it (
See #820https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/820 (which was fixed in MSAL 3.0.0-preview). This is a major version change so there can be breaking changes in some scenarios (Username/password should be ok if you keep using the MSAL v2.0 API style. For detail see https://aka.msa/msal-net-3x)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/926#issuecomment-468499853, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABihKFW8OGBdjqRINZ1gSYOTzITSgI8jks5vSHqogaJpZM4bXiHY.

@mrochon Can you try passing in just this for the authority:
"https://{0}.b2clogin.com/tfp/{0}.onmicrosoft.com/{1}/"

I'm having the same issue, just testing in a netcore console app.
B2C tenant is configured with ROPC user flow and Application created. I followed the instructions on https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc and I was able to acquire token calling the endpoints manually (using Postman).

In the console app I'm getting exactly the same error "user realm discovery".

 var clientMsal = new PublicClientApplication("<client_id>",
    "https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/B2C_1_b2c_resown");
 var tokenMsal = await clientMsal.AcquireTokenByUsernamePasswordAsync(
    new string[] { "api://<client_id>" }, "<username>",  securePassword);

I tried all versions from 2.7.0 to 3.0.2-preview.

@mrochon @tmarkovski I was able to repro this...have a possible fix but waiting on our lab to create a test account w/ROPC policy enabled. Should have an update for you in the coming days. Thanks for your patience.

@mrochon @tmarkovski I have made the fix in this branch if you want to try it out and give feedback if it works for you.
Known issue at the moment is we're not able to get back an id_token from B2C, so there is no way to populate the cache account, as the cache account is made from the id_token, so an AT silent call will not work, but doing ROPC does not show UI anyway.
I am waiting to hear back from the B2C team (re: id_token) on how to proceed (their fix or our fix), but something like this:

 var request = App.MsalPublicClient.AcquireTokenByUsernamePassword(
                    App.Scopes,
                    UserName.Text.Trim(),
                    ConvertToSecureString(Password.Text.Trim()))
                   .ExecuteAsync();

now works. I would suggest updating to the new AcquireToken builder pattern as well.

cc: @parakhj

Thanks for the speedy response @jennyf19 . Looking forward to the decision and the fix. I'll see if I can have this tested out with the branch version.

@jennyf19 The build with the branch you linked works for me. I tested it both for iOS and netcoreapp targets. Thanks for the fix. Watching this thread for updates on when this goes live.

@tmarkovski thanks for the quick response and additional testing. We are waiting on b2c for an answer on how to proceed forward. will update here when we have a decision.

@jmprieur - I'm still waiting to hear from B2C on the id_token issue, but I'd like to get this fix in 3.0.4-preview release, as a lot of customers are waiting on this fix. I will try and get the id_token issue resolved, or at least some progress made, w/B2C today.
How do you feel about the fix w/a known issue of no id_token? This would mean AT silent would not work, as we do not populate the cache or an account, but there is no UI shown anyway with this follow. Just trying to find alternative solutions at this point to unblock customers. Thoughts?

Running into the exact same issue. I'm stuck in the water now unless I rewrite my database loader to be WPF or UWP. Neither of these are attractive options as the loader really needs to be a console program.

@GammaFour Did you try the branch that's included earlier in the thread?

@valnav did you sync with @jennyf19
@jennyf19 : let's discuss this today.

@jennyf19 - Yes, I downloaded it. It would not build, or only partially built. It referenced several XAMARIN packages that would not load.

@GammaFour You can use this package built off the branch @jennyf19 posted. It's a local build, so only use it to test. it worked for me.

https://drive.google.com/drive/folders/1jAX14LflSz30BaH38JJlHu3Tg6emrE-y?usp=sharing

@tmarkovski - OK. Been beating myself up on this for 2 hours. The packages you put on your Google drive aren't recognized by Visual Studio 2017 15.9.7/NuGet Package Manager 4.6.0. So I cleaned up the project that @jennyf19 referenced. Once I removed all the iOS, Android and XAMARIN targets, it built reasonably well and I had a NuGet (nupkg) file that looked remarkably like yours. Neither one is recognized by NuGet Package Manager 4.6.0. Any ideas?

I added the folder where the package is to Nuget Sources. Tools / Options / Nuget / Package Sources, just add new source for local folder. You can then select this specific source in the Package Manager. Remember to check the box for Pre-release packages, otherwise it won't show.
@GammaFour

@tmarkovski - That was it: the pre-release flag. Thanks!

@tmarkovski @GammaFour @jmprieur Started some documentation here on ROPC for B2C. Feel free to update or modify.

@jennyf19 - Perhaps a comment or discussion section on your documentation might be useful. For instance, (and I realize this is off topic for this thread) I don't understand the warning that ROPC isn't secure. Yes, obviously for and end-user application the argument holds, but there will always be daemon and bulk loading processes for any serious web based application. What's the recommended alternative if we don't have a headless way to authenticate?

BTW, as a consumer, I approve of the new fluent API pattern for the token acquisition; it's much more intuitive.

@jennyf19 - Perhaps a comment or discussion section on your documentation might be useful. For instance, (and I realize this is off topic for this thread) I don't understand the warning that ROPC isn't secure. Yes, obviously for and end-user application the argument holds, but there will always be daemon and bulk loading processes for any serious web based application. What's the recommended alternative if we don't have a headless way to authenticate?

Hi @GammaFour -- the concern is that managing and storing passwords is generally insecure and hard to get right. It's equivalent to storing secrets in the open. However, you're correct that there will always be daemon and bulk loading processes. And for those, if they're manual, device code flow might be better to look at first. It's more of a guidance to not pick username/password as your default since that defeats the purpose of a lot of the security and policy that OAuth2 and modern security practices are trying to convey. And in a web application scenario, you'll have encrypted secrets, keyvault, certificates and such instead of just storing username/password values in the clear. Hopefully this provides some clarity on the guidance.

Also glad to hear you like the new API pattern. Great to hear the feedback!

@tmarkovski @GammaFour @mrochon Fix has been released in 3.0.5-preview. Please note there is no id_token returned from B2C, so the cache will not be populated. A fix from B2C is in the works. See documentation for more details. Thanks for helping test the fix.

@tmarkovski @GammaFour @mrochon
B2C rolled out their fix for this. You should be receiving an IdToken now w/the ROPC flow. I verified it works on my end, but you have time to verify and get back to us that you see the same, that would be great. Thanks.

cc: @jmprieur @henrik-me