Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AcquireTokenInteractive for AD B2C on .NET Core 3.0 WPF desktop client does not work #1213

Closed
1 of 7 tasks
skanvk15 opened this issue Jun 12, 2019 · 16 comments
Closed
1 of 7 tasks
Labels

Comments

@skanvk15
Copy link

skanvk15 commented Jun 12, 2019

Which Version of MSAL are you using ?
MSAL 4.0.0

Platform
.NET Core 3.0

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • OBO

Is this a new or existing app?
This is a new app

Repro

// Creation of PublicClientApp
// Call to WithRedirectUri is commented out because that redirect URI cannot
// be added during app registration. 
public static IPublicClientApplication PublicClientApp { get; } = PublicClientApplicationBuilder.
    Create(ClientId).
    WithB2CAuthority(Authority).
    // WithRedirectUri("http://localhost").
    Build();

// ...

// Sign-in method logic
await App.PublicClientApp.AcquireTokenInteractive(App.ApiScopes).
    WithB2CAuthority(App.Authority).
    WithPrompt(Prompt.SelectAccount).
    ExecuteAsync();

Expected behavior
Call to AcquireTokenInteractive should open default browser and prompt user for login credentials. After login should return focus to app.

Actual behavior
AcquireTokenInteractive is throwing an exception:
"Only loopback redirect uri is supported, but urn:ietf:wg:oauth:2.0:oob was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details".

Additional context/ Logs / Screenshots
Here is the Azure portal AD B2C tenant app registration screen for native client:
link

On the AD B2C app registration I cannot add custom URI "http://localhost".

So how can a .NET Core Desktop WPF app use interactive login with B2C? Are there any other options and examples?

@jmprieur
Copy link
Contributor

@skanvk15 is it possible to add http://localhost:* as redirect URIs in the B2C application?
@valnav can you please answer?

@jmprieur
Copy link
Contributor

@skanvk15 : @bgavrilMS just told me that he has been engaging with the B2C team, and they don't support it today;
Would you know of .NET Core 3.0 comes with a Web browser control?

@skanvk15
Copy link
Author

@jmprieur using http://localhost:* causes a parsing exception "Invalid RedirectURI was received (http://localhost:*) Not parseable into System.Uri class."
For the second question, yes, I am able to add a WebBrowser control in my WPF .NET Core 3.0 app. Can this be used to complete the interactive login? Are there any examples?

@jmprieur
Copy link
Contributor

@bgavrilMS has a sample: https://github.com/bgavrilMS/msal-interactive-netcore
it would probably need to be adapted, but that could help you.

@skanvk15
Copy link
Author

I was able to use the code from the sample, with few minor changes, where it is now working up to the point of launching the browser and getting user name and password. For this to work I had to register the app on the AD B2C tenant with a custom redirect URI (e.g. myappname://auth) which I then use in the creation of PublicClientApplication:

public static IPublicClientApplication PublicClientApp { get; } = PublicClientApplicationBuilder.
    Create(ClientId).
    WithRedirectUri("myappname://auth").
    Build();

The problem now is how to setup the TCP listener for the auth code? In the sample it is using http://localhost:port (where port is a free local port). But I cannot use that since the B2C app registration will not take such redirect URI?

@bgavrilMS
Copy link
Member

@skanvk15 - indeed, B2C does not allow this redirect uri to be used. We are discussing with them to remove the limitation.

Until then unfortunately, I do not see any other workarounds except:

a. Do not use .Net Core, use .Net Classic
b. Implement your own ICustomWebUI using the UI controls available in .Net Core (@jmprieur - we might want to add this to the backlog, we should provide an implementation in an extension library).

@skanvk15
Copy link
Author

@bgavrilMS thanks for the update. Option (a) will not work for my solution, I have many other dependencies with .NET Core. Option (b) seems like the only choice for me. If an implementation in an extension lib can be provided that would be great.

@bgavrilMS
Copy link
Member

CC @jennyf19 who may be able to get an update from the B2C team on allowing http://localhost redirect uri

@jmprieur @henrik-me - as an alternative, we could investigate MSAL for .Net Core 3 with WinForms support. This will require a bit of fiddling around:

I am mindful however that we may not want to take a dependecy on WinForms from .Net Core 3 and so we might want to provide this functionality as an extension, using ICustomWebUi functionality.

@henrik-me
Copy link
Contributor

@bgavrilMS : Thanks for the suggestions. I would like to be mindful of the time we have available for this investigation and ideally not bring something on this until netcore 3 has shipped. Will be happy to take contributions from people on this thread as well as others.

@jennyf19
Copy link
Collaborator

@bgavrilMS there is no ETA yet, but this work is planned for Q1. Once I get a work item link, I'll forward it to you.

@groyal
Copy link

groyal commented Aug 5, 2019

Hi I would like to register our interest in this problem too. We are developing on dotnet core 3 preview 7 and WPF application.
We have the same issue, that the only way to authenticate is local loopback to default browser.
Our preference is to have behavior the same as Net Framework and UWP ie pop up login.

dot net core <3.0.0-preview7-27912-14>
Identity Client <4.2.1>
Thanks
greg

@bgavrilMS
Copy link
Member

This work item is not scheduled for now, and we will probably not tackle it until .NET Core 3 is released with a non-preview tag.

You can however implement your own, MSAL has an extensibility point that allows you to bring your own browser:

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/CustomWebUi

@cswierczynski-diam
Copy link

Hello,
Is there any update on when the work for this issue will be scheduled/released?
Thanks

@henrik-me
Copy link
Contributor

henrik-me commented Jan 14, 2020

@cswierczynski-diam
Before supporting embedded browsers in the netcore target we have to make some structural changes to the library ensuring we can ship a netcore target which doesn't have a dependency on WPF or Winforms. This work is currently in progress.

We have so far down prioritized providing the solution in the extensibility library as we want to make this feature part of the core library. The best option so far is to use the CustomWebUI approach as outlined by @bgavrilMS .

@jennyf19 any updates on the B2C timeline?

CC: @jmprieur @jennyf19

@bgavrilMS
Copy link
Member

Just an update on this - B2C have now implemented support for http://localhost: so AcquireTokenInteractive will work for the Identity Providers that allow this kind of redirect uri. They will support http://localhost (no port) soon.

@bgavrilMS
Copy link
Member

I believe this is now in production. Closing. Please reopen if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

7 participants