Microsoft-authentication-library-for-dotnet: [Bug] B2C + desktop SystemWebView returns redirecturi mismatch

Created on 16 Mar 2020 · 5Comments · Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
latest 4.9.0
Note that to get help, you need to run the latest version. Preview version are also ok.
For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

Platform

netcore & net48
What authentication flow has the issue?

Desktop / Mobile
- [x] Interactive
- [ ] Integrated Windows Auth
- [ ] Username Password
- [ ] Device code flow (browserless)
Web App
- [ ] Authorization code
- [ ] OBO
Web API
- [ ] OBO

Other? - please describe;

Is this a new or existing app?

This is a new app
Repro

 var scopes = new[] { $"https://{tenant}.onmicrosoft.com/{api}/user_impersonation" };
            var app = PublicClientApplicationBuilder.Create(clientId)
                                           .WithRedirectUri("http://localhost")
                                           .WithB2CAuthority($"https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/{policy}")
                                           .Build();
            var accounts = await app.GetAccountsAsync();

            var result = await app.AcquireTokenInteractive(scopes)
                .WithUseEmbeddedWebView(false)
                               .ExecuteAsync();
            Console.WriteLine(result.AccessToken);

Expected behavior
This should return the token to access for the api I have setup
Actual behavior
It opens the browser and returns this url:

http://localhost/?error=redirect_uri_mismatch&error_description=AADB2C90006%3a+The+redirect+URI+%27http%3a%2f%2flocalhost%3a2345%27+provided+in+the+request+is+not+registered+for+the+client+id+%{clientIdHere}%27.%0d%0aCorrelation+ID%3a+1a84e345-a5e5-4007-989b-f2ab8d76e19c%0d%0aTimestamp%3a+2020-03-16+19%3a49%3a48Z%0d%0a&state=f0c5b1ab-c55b-402e-890d-f8f97a76cf0bdd04aa43-04e3-42b4-b05a-72be4b313152

Possible Solution

This works if I use the embedded webview, but I need the system web view to work to use .net core

answered question

Source

chrisevans9629

All 5 comments

Hi @chrisevans9629 - you need to register the redirect URI in the application portal first. I don't remember if B2C allows you to configure "http:\localhost" ... but may allow you to configure "http://localhost:12345" (or whatever port you want). Please let us know if this works for you.

PS: may I ask why you need Edge browser?

bgavrilMS on 16 Mar 2020

I have "http://localhost" registered in the azure portal for my B2C app. And I don't need to use Edge browser. That was just for testing. I'll edit my code to remove it as it's irrelevant.
Note that this app works with the integrated browser, but not the system web browser, so I don't think it's a redirect uri issue?

chrisevans9629 on 16 Mar 2020

The integrated browser doesn't need and doesn't use the redirect uri. MSAL can tell when the embedded browser has finished and it can read the final URL which contains a code.

The redirect uri is needed for the system browser. MSAL has no control over the system browser, except to tell it where it go. Then AAD redirects to http://localhost: and MSAL will be listening on that port. That's how MSAL picks up the final url.

Could you try to configure a specific port, for example http://localhost:8090 in both MSAL and the application portal and see if that works?

bgavrilMS on 16 Mar 2020

❤1

Okay that makes sense. I'll try that and will give you an update
tomorrow. Thank you.

On Mon, Mar 16, 2020, 4:30 PM Bogdan Gavril notifications@github.com
wrote:

The integrated browser doesn't need and doesn't use the redirect uri. MSAL
can tell when the embedded browser has finished and it can read the final
URL which contains a code.

The redirect uri is needed for the system browser. MSAL has no control
over the system browser, except to tell it where it go. Then AAD redirects
to http://localhost: and MSAL will be listening on that port. That's how
MSAL picks up the final url.

Could you try to configure a specific port, for example
http://localhost:8090 in both MSAL and the application portal and see if
that works?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1710#issuecomment-599766909,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AICIJGGKPWHPZ5YT65SE2ILRH2K6HANCNFSM4LMT32NQ
.

chrisevans9629 on 16 Mar 2020

That was the issue. http://localhost does not work, but http://localhost:8090 does when setup in azure and msal. Thanks for your help!

chrisevans9629 on 17 Mar 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Can't login with Office365 account.

23W · 5Comments

[Bug] iOS 13: Broker response nonce does not match the request nonce sent by MSAL.NET

jennyf19 · 5Comments

[Bug] ArgumentNullException / "A device attached to the system is not functioning" in RSACryptoServiceProvider under heavy load

alexzaitzev · 5Comments

[Question to the community] would it make sense for MSAL.NET to join the .NET Foundation and expose its maturity level?

jmprieur · 5Comments

[Bug] GetAccountAsync and GetAccountsAsync do not return any accounts for Microsoft Azure Government account on Xamarin.Android

bemartin · 3Comments