OAuth2 implicit grant flow fails for Azure guest users

Question

I try to authorize Azure AD guest users to my web application through the MSAL library. Since it is an SPA, I'm using implicit grant flow. For "standard" users, the flow is OK. But for "guest" users (with personal addresses like "gmail"), it fails on getting obo token as described here :

https://github.com/Azure/azure-sdk-for-java/tree/2.3.5/sdk/spring/azure-spring-boot-starter-active-directory#authenticate-in-frontend

Message is :

{ "error": "invalid_grant",
  "error_description": "AADSTS500341: The user account <user_account> has been deleted from the <tenantId> directory. To sign into this application, the account must be added to the directory.
}

I isolated the http request to bypass MSAL magic (it fails on /oauth2/token request):

I just wonder if guest users could be authorized with this flow or if there is another way to authorize them.

Answer 1

When using On-Behalf-Of flow, please follow the steps here. If requesting /token endpoint with id_token, it will return this error. The assertion should set with access token.

---

You use the On-Behalf-Of flow but not implicit grant flow in your issue.

Try to follow the steps with an invited user using implicit flow:

1. Add guest user in Azure AD

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal#add-a-new-guest-user-in-azure-ad

2. Navigate to Enterprise applications-> your application-> Users and groups

3. Request /authorize for token

You could login the user at the browser using the implicit flow.

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=https://graph.microsoft.com/user.read
&response_mode=fragment
&state=12345
&nonce=678910

My test result:

Answer 2

thank you for sharing the query. An Azure AD B2B user (gmail user) can go ahead and successfully fetch an access-token from AAD, using an Implicit Flow. You can use the following request to achieve the same:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}&response_type=token&redirect_uri={redirect-uri}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=form_post&state=12345&nonce=678910

Now what I am confused with is the following statement "it fails on web api token validation as described here." and also the screenshot you attached is using OBO flow and not implicit flow.

So, is it like:

1. You get a token using implicit flow for a user
2. After that, you send that token to lets say API-1
3. Then API-1 does OBO flow and tries to get another token for another api lets say API-2

While doing step 3 it fails?

If this is the scenario, then please check the following section "As of May 2018, some implicit-flow derived id_token can't be used for OBO flow. Single-page apps (SPAs) should pass an access token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see limitations."

More details can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

If this is not the case, then please do share some more details around this so that we can understand the setup better.