[Bug]Template IndividualAuth B2C Password reset uses default policy

[jennyf19]

Repro:

• Create an app with the IndividualAuth and B2C template.
• Use the same settings in our dev app for B2C.
• Run the app.
• On the sign-in screen, hit "I forgot my password"
• Do the billion steps on the screen.
• Once complete and the password is reset, you'll get an error, in the console see this:

fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
Message contains error: 'access_denied', error_description: 'AADB2C90118: The user has forgotten their password.
Correlation ID: e561adb9-d909-498c-8b1b-4da8d5174f4f
Timestamp: 2020-08-18 01:47:01Z
', error_uri: 'error_uri is null'.
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[52]
Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint.
Actual Value : B2C_1_SUSI and Expected Value : B2C_1_reset
Correlation ID: aa3a12fd-2ca4-46f4-b9d7-648236f5a83c
Timestamp: 2020-08-18 01:48:26Z
', error_uri: 'error_uri is null', status code '400'.
fail: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[17]
Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'AADB2C90088: The provided grant has not been issued for this endpoint.
Actual Value : B2C_1_SUSI and Expected Value : B2C_1_reset
Correlation ID: aa3a12fd-2ca4-46f4-b9d7-648236f5a83c
Timestamp: 2020-08-18 01:48:26Z
', error_uri: 'error_uri is null'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Note that the policy is the default, and not the password reset, so we are hitting the wrong authorization server.

Workaround:

Add the token cache implementation in startup.cs:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
             .AddMicrosoftWebApp(Configuration, "AzureAdB2C")
             .AddMicrosoftWebAppCallsWebApi(Configuration, "AzureAdB2C")
             .AddInMemoryTokenCaches();

and then in appsettings.json, include a client secret.

[jmprieur]

Analysis

What happens, is that in AzureADB2COpenIDConnectEventHandlers.OnRedirectToIdentityProvider we request an IdTokenCode even in the OIDC case (when the app does not call a Web API)

       context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;

microsoft-identity-web/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs

Line 35 in e83d7bb

context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;

When the code is received, Microsoft.Identity.Web does not try to redeem it (because Startup.cs does not contain EnableTokenAcquisitionToCallDownstreamApi), but ASP.NET Core tries to redeem it, and it fails as it's not as clever as Microsoft.Identity.Web to understand the context.

Suggestion to fix it

In:

microsoft-identity-web/src/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs

Line 35 in e83d7bb

context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;

I suggest we request CodeIdToken only if there is either a non null options.ClientSecret or options.ClientCertificates is not null and not empty, otherwise, just request IdToken. This will distinguish the case sign-in-users-and calls-web-api (where we want a code), and the case sign-in-users only (where we don't want the code)

@jennyf19 : raising it to P1 and assigning it to the next milestone as this also accept the Edit Profile scenario in a b2C web app that just signs-in users.

[jennyf19]

included in 0.3.1-preview release.