thanks guys, really looking forward to this fix

What is the ETA for this ticket please? Will this be fixed this week also?

@vaughanh1 This will not be included with the CORS fix but will follow shortly thereafter. Unfortunately I am not able to share a more precise ETA as timelines are subject to change if issues are found during testing and/or deployment. Rest assured the work is currently underway and is being prioritized. I hope to share good news soon!

Please get this fix out - asap - really need it!

@tnorling Please can you also pin this issue? As you know, this and https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1795 are both critical for B2C usage.

@tnorling Any ETA? Thanks

This started deployment late last week and is expected to be completed by the end of this week assuming everything goes smoothly.

@tnorling Please may we have an update on this one? Will be fantastic to round off a long week with this and 2.2.0 working with the B2C. Thanks.

For anyone interested, a reliable source from Microsoft has informed me that there will be some big announcements next week (including security/identity) at the Microsoft Ignite event. Might be worth a look. https://myignite.microsoft.com/home

@vaughanh1 Unfortunately a bug was found during testing and the rollout had to be restarted, tentatively expected next week. Knowing these things happen I'm reluctant to provide another ETA until it's out and available. There will be a public announcement when B2C + msal.js v2 is considered "released" and supported, so please keep your eyes out for that.

So not in release 2.3? Also waiting it to be fixed...

@pandoras This is a server issue so it's not tied to a release of msal. Once the fix has completed deployment it should work with any version of msal-browser you're running. Unfortunately the rollout has been delayed a few times for reasons outside of our control but rest assured it's still a priority and will make it out as soon as it's able to.

@tnorling any news?

The fix for this has completed rollout and should be generally available. Please make sure your redirectUri is registered in the portal as type "SPA" in order to be issued a 24hr refresh token.

Closing as resolved. If anyone continues to experience issues please open a new issue.

@tnorling Does this mean that msal-browser can be safely use with B2C now?

@tnorling Friendly reminder, might want to update: https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/MSAL-browser-B2C-CORS-issue

@CerosDev Yes, you can go ahead.

@tnorling Has this been rolled out to all B2C tenants? I'm still getting the following response when using PKCE flow and just _openid_ as a scope. The application in B2C has _https://jwt.ms_ as a SPA redirect uri.

{
  "access_token": "...",
  "id_token": "ey...",
  "token_type": "Bearer",
  "not_before": 1602857952,
  "expires_in": 3600,
  "expires_on": 1602861552,
  "resource": "https://jwt.ms",
  "refresh_token": "ey...",
  "refresh_token_expires_in": 1209600
}

The property refresh_token_expires_in suggests that the token expires in 14 days. It doesn't seem to require token rotation, I can use the original refresh token multiple times to get a new set of tokens.

@vuorinem It should definitely be rolled out to all tenants by now. Please ensure you do not have other redirect uri types also configured on the same app registration. If you're still getting a 14 day refresh token please open a ticket with the B2C service team so they can take a look.

It doesn't seem to require token rotation, I can use the original refresh token multiple times to get a new set of tokens.

This is expected. RT's may or may not be invalidated by the service after use and should have a 24 hour non-renewable lifetime