Microsoft-authentication-library-for-dotnet: AcquireTokenInteractive for AD B2C on .NET Core 3.0 WPF desktop client does not work

Created on 12 Jun 2019 · 16Comments · Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
MSAL 4.0.0

Platform
.NET Core 3.0

What authentication flow has the issue?

Desktop / Mobile
- [x] Interactive
- [ ] Integrated Windows Auth
- [ ] Username Password
- [ ] Device code flow (browserless)
Web App
- [ ] Authorization code
- [ ] OBO
Web API
- [ ] OBO

Is this a new or existing app?
This is a new app

Repro

// Creation of PublicClientApp
// Call to WithRedirectUri is commented out because that redirect URI cannot
// be added during app registration. 
public static IPublicClientApplication PublicClientApp { get; } = PublicClientApplicationBuilder.
    Create(ClientId).
    WithB2CAuthority(Authority).
    // WithRedirectUri("http://localhost").
    Build();

// ...

// Sign-in method logic
await App.PublicClientApp.AcquireTokenInteractive(App.ApiScopes).
    WithB2CAuthority(App.Authority).
    WithPrompt(Prompt.SelectAccount).
    ExecuteAsync();

Expected behavior
Call to AcquireTokenInteractive should open default browser and prompt user for login credentials. After login should return focus to app.

Actual behavior
AcquireTokenInteractive is throwing an exception:
"Only loopback redirect uri is supported, but urn:ietf:wg:oauth:2.0:oob was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details".

Additional context/ Logs / Screenshots
Here is the Azure portal AD B2C tenant app registration screen for native client:
link

On the AD B2C app registration I cannot add custom URI "http://localhost".

So how can a .NET Core Desktop WPF app use interactive login with B2C? Are there any other options and examples?

B2C enhancement external - fixed needs-sample netcore service-enhancement

Source

skanvk15

👍2

Most helpful comment

Just an update on this - B2C have now implemented support for http://localhost: so AcquireTokenInteractive will work for the Identity Providers that allow this kind of redirect uri. They will support http://localhost (no port) soon.

bgavrilMS on 7 Apr 2020

👍4

All 16 comments

@skanvk15 is it possible to add http://localhost:* as redirect URIs in the B2C application?
@valnav can you please answer?

jmprieur on 12 Jun 2019

@skanvk15 : @bgavrilMS just told me that he has been engaging with the B2C team, and they don't support it today;
Would you know of .NET Core 3.0 comes with a Web browser control?

jmprieur on 12 Jun 2019

@jmprieur using http://localhost:* causes a parsing exception "Invalid RedirectURI was received (http://localhost:*) Not parseable into System.Uri class."
For the second question, yes, I am able to add a WebBrowser control in my WPF .NET Core 3.0 app. Can this be used to complete the interactive login? Are there any examples?

skanvk15 on 12 Jun 2019

@bgavrilMS has a sample: https://github.com/bgavrilMS/msal-interactive-netcore
it would probably need to be adapted, but that could help you.

jmprieur on 12 Jun 2019

I was able to use the code from the sample, with few minor changes, where it is now working up to the point of launching the browser and getting user name and password. For this to work I had to register the app on the AD B2C tenant with a custom redirect URI (e.g. myappname://auth) which I then use in the creation of PublicClientApplication:

public static IPublicClientApplication PublicClientApp { get; } = PublicClientApplicationBuilder.
    Create(ClientId).
    WithRedirectUri("myappname://auth").
    Build();

The problem now is how to setup the TCP listener for the auth code? In the sample it is using http://localhost:port (where port is a free local port). But I cannot use that since the B2C app registration will not take such redirect URI?

skanvk15 on 13 Jun 2019

@skanvk15 - indeed, B2C does not allow this redirect uri to be used. We are discussing with them to remove the limitation.

Until then unfortunately, I do not see any other workarounds except:

a. Do not use .Net Core, use .Net Classic
b. Implement your own ICustomWebUI using the UI controls available in .Net Core (@jmprieur - we might want to add this to the backlog, we should provide an implementation in an extension library).

bgavrilMS on 14 Jun 2019

@bgavrilMS thanks for the update. Option (a) will not work for my solution, I have many other dependencies with .NET Core. Option (b) seems like the only choice for me. If an implementation in an extension lib can be provided that would be great.

skanvk15 on 18 Jun 2019

CC @jennyf19 who may be able to get an update from the B2C team on allowing http://localhost redirect uri

@jmprieur @henrik-me - as an alternative, we could investigate MSAL for .Net Core 3 with WinForms support. This will require a bit of fiddling around:

integration with msbuild extras sdk (someone has already done a WPF migration https://github.com/onovotny/MSBuildSdkExtras/issues/135)
making sure all the COM calls continue to work
shipping MSAL .NetCore 3

I am mindful however that we may not want to take a dependecy on WinForms from .Net Core 3 and so we might want to provide this functionality as an extension, using ICustomWebUi functionality.

bgavrilMS on 29 Jul 2019

@bgavrilMS : Thanks for the suggestions. I would like to be mindful of the time we have available for this investigation and ideally not bring something on this until netcore 3 has shipped. Will be happy to take contributions from people on this thread as well as others.

henrik-me on 29 Jul 2019

👍1

@bgavrilMS there is no ETA yet, but this work is planned for Q1. Once I get a work item link, I'll forward it to you.

jennyf19 on 29 Jul 2019

Hi I would like to register our interest in this problem too. We are developing on dotnet core 3 preview 7 and WPF application.
We have the same issue, that the only way to authenticate is local loopback to default browser.
Our preference is to have behavior the same as Net Framework and UWP ie pop up login.

dot net core <3.0.0-preview7-27912-14>
Identity Client <4.2.1>
Thanks
greg

groyal on 5 Aug 2019

This work item is not scheduled for now, and we will probably not tackle it until .NET Core 3 is released with a non-preview tag.

You can however implement your own, MSAL has an extensibility point that allows you to bring your own browser:

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/CustomWebUi

bgavrilMS on 5 Aug 2019

Hello,
Is there any update on when the work for this issue will be scheduled/released?
Thanks

cswierczynski-diam on 13 Jan 2020

@cswierczynski-diam
Before supporting embedded browsers in the netcore target we have to make some structural changes to the library ensuring we can ship a netcore target which doesn't have a dependency on WPF or Winforms. This work is currently in progress.

We have so far down prioritized providing the solution in the extensibility library as we want to make this feature part of the core library. The best option so far is to use the CustomWebUI approach as outlined by @bgavrilMS .

@jennyf19 any updates on the B2C timeline?

CC: @jmprieur @jennyf19

henrik-me on 14 Jan 2020

👍4

bgavrilMS on 7 Apr 2020

👍4

I believe this is now in production. Closing. Please reopen if necessary.

bgavrilMS on 26 May 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

[Bug] GetAccountAsync and GetAccountsAsync do not return any accounts for Microsoft Azure Government account on Xamarin.Android

bemartin · 3Comments

[Bug] WithProofOfPosession produces a token of type POP, whereas the Wilson 6.0 expects PoP

jmprieur · 4Comments

[Bug] iOS 13: Broker response nonce does not match the request nonce sent by MSAL.NET

jennyf19 · 5Comments

Setting the Policy when Getting the Token

dansiegel · 5Comments

[Feature Request] Need samples or documentation to mimic Microsoft Teams SSO

geoffreygeslin · 4Comments