We want to use MSAL for Authentication in our Web application with Web API using Authorization Code Flow.
I was using Sample from GitHub (https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C). But unfortunately it uses Implicit Code Flow by default.
Note: I disabled both Access Token and Id Token from Implicit Flow option for the application on the Azure Portal.
As I can see in request URL for Authorization EndPoint, the ResponseType was "code id_token". But we just want to use Authorization Code Flow everywhere. So It needs to be "code" only.
Then I found in this StackOverflow Article (https://stackoverflow.com/questions/61554550/azure-ad-b2c-error-aadb2c90057-when-i-am-not-trying-to-use-the-implicit-flow) someone faced the same problem, I commented this line of code in Github sample
//services.AddSignIn(Configuration, "AzureAdB2C");
And added block of code from update section in StackOverflow Article (https://stackoverflow.com/questions/61554550/azure-ad-b2c-error-aadb2c90057-when-i-am-not-trying-to-use-the-implicit-flow).
Then I now get the following error:
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the
message.
To fix it, I added "client id" scope to OpenIdConnectOptions according to this article (https://github.com/dotnet/aspnetcore/issues/23284#issuecomment-648775392)
Further, AcquireTokenByAuthorizationCode method was throwing a long exception with top line:
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
I changed "Instance" in appsetting from https://company.b2clogin.com to https://company.b2clogin.com/tfp/.
Now I am getting Id Token, but AccessToken is returned null by AcquireTokenByAuthorizationCode method.
Am I still missing some configuration OR its some bug in Microsoft.Identity.Web with Authorization Code Flow?
Is it fine to use AddAuthentication with options for AzureADB2C(MSAL) OR We should be using AddSignIn Method only?
