I have Angular app which authenticates users in Azure AD B2C using MSAL library with standard usage of that library. I have separate custom policy for sign-in which worked fine so far. I don't have custom domain yet, so the application has a different domain than B2C IDP.
Currently, I'm adding revoke session feature what is described here. Btw, the same RedeemRefreshToken journey is in TrustFrameworkBase.xml already.
The problem is that after attaching that endpoint to RelyingParty of my sign-in policy
<Endpoints>
<Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" />
</Endpoints>
every token request with grant_type: refresh_token coming from my app gets error 400 with response:
{
"error": "invalid_grant",
"error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: <correlationid>\r\nTimestamp: 2023-10-18 11:31:46Z\r\n"
}
The message from policy log is:
"User does not have an existing session and request prompt parameter has a value of 'None'."
After that error, the authorize request is automatically sent (handled by the same sign-in policy) followed by token request with grant_type: authorization_code which correctly responds with all tokens. Authorize request doesn't ask for login because the session exists (cookie x-ms-cpim-sso:<tenantname>.onmicrosoft.com_<x>)
I compared that erroneous refresh token request (headers, payload) with the same request sent when policy doesn't contain endpoint to RedeemRefreshToken journey, and both looks the same. The only difference is the response - 400 vs 200.
I tried to use that journey with simple step to create some test claim instead of comparing dates, but result is the same.
Why the policy requires session for running RedeemRefreshToken yourney? Or maybe the message is misleading and there is some other problem. It looks like the problem is not in the journey itself.
More info:
My only Angular settings for MsalInterceptorConfiguration which is used by MSAL to create the token request (the rest is by default):
{
interactionType: InteractionType.Redirect,
protectedResourceMap: map(my endpoint url, scope)
}
Policy:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignIn" />
<Endpoints>
<Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" />
</Endpoints>
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="0" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="<instrumentationkey>" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
Full policy log:
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "<correlationid>",
"EventInstance": "Event:AUTH",
"TenantId": "<mytenant.onmicrosoft.com>",
"PolicyId": "<mypolicy>"
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "AUTH",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"MACHSTATE": {
"c": "2023-10-18T11:43:20.7773774Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2023-10-18T11:43:20.7773774Z",
"k": "JC",
"v": "en",
"p": true
},
"ComplexItems": "_MachineEventQ, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.OrchestrationManager"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"Complex-CLMS": {},
"ORCH_CS": {
"c": "2023-10-18T11:43:20.7783771Z",
"k": "ORCH_CS",
"v": "0",
"p": true
},
"RA": {
"c": "2023-10-18T11:43:20.7783771Z",
"k": "RA",
"v": "0",
"p": true
},
"ComplexItems": "_MachineEventQ, TCTX, ORCH_IDX"
}
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "PreStep",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.PreSetupHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"RPP": {
"c": "2023-10-18T11:43:20.7793772Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2023-10-18T11:43:20.7793772Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2023-10-18T11:43:20.780378Z",
"k": "OTID",
"v": "<mytenant.onmicrosoft.com>",
"p": true
},
"APPMV": {
"c": "2023-10-18T11:43:20.780378Z",
"k": "APPMV",
"v": "V2",
"p": true
}
}
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.InitiatingMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": "Application"
},
{
"Key": "ProtocolProviderType",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "User does not have an existing session and request prompt parameter has a value of 'None'.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
}
}
]
},
"Statebag": {
"CT": {
"c": "2023-10-18T11:43:20.7933782Z",
"k": "CT",
"v": "Spa",
"p": true
},
"CC": {
"c": "2023-10-18T11:43:20.7933782Z",
"k": "CC",
"v": "VmuKAsCFVPldmaemWNwlacWuZ5Y7cEpm2c-1LJArbhQ",
"p": true
},
"CCM": {
"c": "2023-10-18T11:43:20.7933782Z",
"k": "CCM",
"v": "S256",
"p": true
},
"MSG(6da8e3c7-edfb-4617-a448-14e479af2f4e)": {
"c": "2023-10-18T11:43:20.7963775Z",
"k": "MSG(6da8e3c7-edfb-4617-a448-14e479af2f4e)",
"v": "{\"TenantId\":\"<mytenant.onmicrosoft.com>\",\"PolicyId\":\"<mypolicy>\",\"PromptQueryStringValue\":\"none\",\"RedirectUri\":\"<myredirect>\",\"AdditionalParameters\":{\"client-request-id\":\"0dc353b2-cf35-4cc7-aa05-3ddf63648483\",\"x-client-SKU\":\"msal.js.browser\",\"x-client-VER\":\"2.37.0\",\"client_info\":\"1\",\"code_challenge\":\"VmuKAsCFVPldmaemWNwlacWuZ5Y7cEpm2c-1LJArbhQ\",\"code_challenge_method\":\"S256\"},\"Nonce\":\"9d3c7781-f96a-4c17-9400-4d70c306cc5a\",\"State\":\"eyJpZCI6IjYwYWZjNzg5LTBjOTQtNDQxNi04YmY5LWViOGI2MGRjYTEwMCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19\",\"ClientId\":\"<myclientid>\",\"ResponseType\":\"code\",\"ResponseMode\":\"fragment\",\"ResponseRedirector\":{\"URI\":\"<myuri>\",\"D\":false,\"WF\":true},\"Scope\":\"<myscope> openid profile offline_access\",\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"CMESSAGE": {
"c": "2023-10-18T11:43:20.7963775Z",
"k": "CMESSAGE",
"v": "6da8e3c7-edfb-4617-a448-14e479af2f4e",
"p": true
},
"IMESSAGE": {
"c": "2023-10-18T11:43:20.7963775Z",
"k": "IMESSAGE",
"v": "6da8e3c7-edfb-4617-a448-14e479af2f4e",
"p": true
},
"SE": {
"c": "2023-10-18T11:43:20.7973775Z",
"k": "SE",
"v": "Authorize",
"p": true
},
"ComplexItems": "_MachineEventQ, TCTX, ORCH_IDX, REPRM, IC, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "User does not have an existing session and request prompt parameter has a value of 'None'.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.SendErrorHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "User does not have an existing session and request prompt parameter has a value of 'None'.",
"Data": {
"IsPolicySpecificError": false
}
}
}
]
},
"Statebag": {
"SE": {
"c": "2023-10-18T11:43:20.7993777Z",
"k": "SE",
"v": "",
"p": true
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.TransactionEndHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
}
]