Microsoft-authentication-library-for-dotnet: Support for AcquireTokenSilent in ROPC scenario
Is your feature request related to a problem? Please describe.
I'd like to use ROPC in a mobile app (Xamarin iOS and Android) with Azure AD B2C, but with MSAL library I cannot refresh tokens silently because MSAL doesn't store the account information when id_token is missing (which is the case in ROPC scenario in Azure AD B2C).
Describe the solution you'd like
MSAL should store refresh token information so that we can refresh token silently later. ID token should not be required for this to work.
Describe alternatives you've considered
Making ROPC REST requests manually and storing refresh token in the keychain manually. This basically means I would drop MSAL library entirely from our app and do everything myself with plain HttpClient.
Additional context
As described in the documentation:
Currently, there is no id_token returned from B2C when implementing the ROPC flow from MSAL. This means an Account object cannot be created, so in the cache, there will be no Account and no user. The AcquireTokenSilent flow will not work in this scenario. However, ROPC does not show a UI, so there will no impact to the user experience.
arek-avanade
All 11 comments
@arek-avanade
ROPC is enable for mobile scenarios since: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/882
However as you have noticed this is not yet the case for B2C. The B2C service is working on enabling ROPC. Expecting that we will have some improvements in the service and thus also for the library in the next 2 weeks.
CC: @jennyf19 hoping you can help clarify what to expect.
henrik-me
on 10 May 2019
@henrik-me Do you mean that since ROPC is in Preview in Azure B2C, once it moves to stable phase it would return ID Token and AcquireTokenSilent in MSAL library would work out-of-the-box? Or am I missing something?
arek-avanade
on 10 May 2019
@arek-avanade My hope is that @jennyf19 can help clarify details/timeline. The goal for B2C is to send the id_token by default in ROPC flows. Not sure if we can get closer to a timeline of this change. If the fix is ready then the roll-out time is likely 2 to 3 weeks.
henrik-me
on 10 May 2019
@arek-avanade ROPC is in Preview w/Azure B2C, but works in MSAL.NET starting with v3.0.5-preview.
The limitations with ROPC in B2C, at the moment, are:
- only works w/local accounts (not other IdPs)
- no IdToken is returned from B2C. The fix for this is in PR w/B2C right now. Should be a few more weeks until it is in prod. We will update the wiki when that happens. (this is what @henrik-me is referring to)
Let us know if you have more questions and checkout the wiki page on ROPC with B2C
jennyf19
on 10 May 2019
Closing as nothing needs to be done in MSAL.NET.
jmprieur
on 30 May 2019
@jmprieur I was leaving this open until the b2c fix rolls out (should be eow) and then update docs
jennyf19
on 30 May 2019
ok. Reopened @jennyf19
jmprieur
on 30 May 2019
@arek-avanade B2C rolled out their fix for this. You should be receiving an IdToken now w/the ROPC flow. I verified it works on my end, but you have time to verify and get back to us that you see the same, that would be great. Thanks.
cc: @jmprieur @henrik-me
jennyf19
on 4 Jun 2019
@arek-avanade Closing as the fix has been rolled out.
jennyf19
on 7 Jun 2019
@jennyf19 Thanks! I can confirm I'm able to get ID Token with ROPC. I haven't verified MSAL library behavior itself, since we switched to manual REST requests in the meantime, but I assume this would work now.
arek-avanade
on 17 Jun 2019
@arek-avanade Thanks for the confirmation!
jennyf19
on 17 Jun 2019
Related issues
jennyf19
路
5Comments
chrisevans9629
路
5Comments
yhvicey
路
3Comments
saketkataruka
路
5Comments
crmann1
路
5Comments