Cannot renew access token from B2C, error AADB2C90077

2
votes

I am experiencing issue trying to obtain a new access token from my AD B2C. From my SPA I use the MSAL.js library (v0.1.3) to authenticate to my AD B2C. After an hour, the access token expires so I do a silent token renew procedure but it fails. I use the following link to get a new access token:

https://login.microsoftonline.com/te/myApp.onmicrosoft.com/b2c_1_signin/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2FmyApp.onmicrosoft.com%2Fapi%2Faccount.read%20openid%20profile&client_id=XXX&redirect_uri=https%3A%2F%2FmyApp.azurewebsites.net%2F&state=XXX&nonce=XXX&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.3&client-request-id=XXX&prompt=none&domain_req=XXX&login_req=XXX-b2c_1_signin&domain_hint=organizations

I receive the following error from the B2C:

AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'. Correlation ID: YYY

I could not find any information concerning the caused of the error AADB2C90077.

Thanks

2
azure-active-directoryadalazure-ad-b2cmsaladal.js
Well, the error means the session cookie for the B2C tenant was not found. Do you get automatically redirected back to the app if you log in again while the access token is active? - juunas
Do you have an active session with Azure AD on some other account? - juunas
You might be passing wrong scope values. Refer: StackOverflow Link. - Ajay Kadam
When I get the error, my SPA calls the redirect function from MSAL.js, I can then log-in in the B2C and I am redirect to my SPA with new access token valid for the next hour. - DavidH
I am also connected to the AD via the Azure Portal, but I don<t know if it counts. - DavidH

2 Answers

1
votes

For the record, after multiple back and forth with Microsoft technical support and developers teams we finally identified the cause of my AADB2C90077 error code. There was an issue in the Azure B2C backend where the default values were not handle properly by the system. My workaround was to modify the four token lifetime values: ‘Access & ID token lifetime’, ‘Refresh token lifetime’, ‘Refresh token sliding window lifetime’ and the ‘Web app session lifetime’, in order for them to appear into the policy xml.

As of February 22nd 2018, Microsoft confirmed they issue a fix to solve this issue. So if someone has the issue it is most likely for a different reason.

0
votes

One thing that could cause the AADB2C90077 error is a disabled value of Single sign-on configuration of a user flow or a custom policy.

Say you are on an SPA app requesting a token for your Web API app, like it is done in this MSAL sample. The SPA app and the Web API app each have their own app registrations. From the SPA app you are accessing a scope of the Web API app. The interactive login returns id_token, but subsequent request for access token fails with the above message.

Here is the setting to change for user flows (custom policies require editing of XML): User flow setting that causes AADB2C90077