Microsoft-authentication-library-for-dotnet: [Bug] When using google IDP with B2C, login prompt fails

Created on 7 Jan 2020  路  6Comments  路  Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
MSAL 4.7.1

Platform
Net 4.5

What authentication flow has the issue?

  • Desktop / Mobile

    • [X] Interactive

Is this a new or existing app?
New

Repro

    static async Task<AuthenticationResult> getToken()
    {
        string[] scopes = new string[] { "user.read" };

        var app = PublicClientApplicationBuilder.Create(clientId).WithTenantId("tenantName.onmicrosoft.com").WithRedirectUri("revoke://dummy").Build();
        var accounts = await app.GetAccountsAsync();
        AuthenticationResult result;
        try
        {
            result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
                        .ExecuteAsync();
        }
        catch (MsalUiRequiredException)
        {
            result = await app.AcquireTokenInteractive(scopes)
                        .ExecuteAsync();
        }

        return result;
    }

Expected behavior
A token to be returned

Actual behavior
during logon, microsoft logon site redirects to google idp login, and shows the email, then when hitting 'next' we get an error about google not trusting the browser. Not sure why it doesn't trust it, it is the webbrowser control. Here is the error-
"This browser or app may not be secure.

Try using a different browser. If you鈥檙e already using a supported browser, you can refresh your screen and try again to sign in."

Possible Solution
We just need to find what kind of check the IDP is doing on the browser control that stops the login.

Additional context/ Logs / Screenshots
This all works fine if the user is from my AAD. Only Google IDP users fail.

B2C Google answered question
Source
picture westleyMS

Most helpful comment

Thanks for your help @jmprieur it was an issue with google requiring using a system browser and not the web browser control.

picture westleyMS on 7 Apr 2020
👍2

All 6 comments

@westleyMS : can you please share with me (internally is fine) how to configure the tenant to enable the Google IdP? I'm supposing here (from the code) that this is not a B2C scenario?

About the error, I think that Google probably wants you to use a system browser, instead of the embedded browser.
See https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-web-browsers#system-browser-experience-on-net-core
You'll also need to register http://localhost as a reply URI for your app

jmprieur picture jmprieur on 7 Jan 2020

It is B2C, here is what I followed to set it up-

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-goog-app
https://aadguide.azurewebsites.net/aadb2c/aadb2cgoogleidp/

westleyMS picture westleyMS on 8 Jan 2020

Then if this is B2C, @westleyMS, you need to use a B2C authority (.WithB2CAuthority).
Please have a look to https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop for instance. There are some subtleties for B2C.

See also https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics

jmprieur picture jmprieur on 8 Jan 2020

@westleyMS are you still having issues with this?

jennyf19 picture jennyf19 on 30 Jan 2020

Closing as this was answered

jmprieur picture jmprieur on 7 Apr 2020

Thanks for your help @jmprieur it was an issue with google requiring using a system browser and not the web browser control.

westleyMS picture westleyMS on 7 Apr 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jsquire picture jsquire  路  4Comments
jmprieur picture jmprieur  路  4Comments
msminski picture msminski  路  6Comments
hausec picture hausec  路  3Comments
bemartin picture bemartin  路  3Comments