Azure AD B2C - MSAL JS - Refreshing token yields AADB2C90055

5
votes

We're using Azure AD B2C to authenticate users, via our API. Both Client (Angular 2) and API have the same Client ID.

This all works fine. As scopes I've defined openid.

However, when calling AcquireTokenAsync after being logged in for more than the expiration time, I'm now getting this error:

"AADB2C90055: The scope 'openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.

I'm calling this method from our Angular application; we're using MSAL.JS. So, it's working fine within the token expiration time (default 60 minutes), but after 60 minutes I'm starting to get this error.

Exactly the same issue as error 1 here: Azure AD B2C Token Issue

Is this a bug in MSAL JS or is our set up incorrect? I'm aware I could have created a separate client ID for our API, but this is working fine for logging in, so I have not bothered. Our API just needs to know the user name, email, etc.

1
azureazure-active-directoryazure-ad-b2cmsal
Can you please clarify from where you are invoking AcquireTokenAsync?Chris Padgett
Sure! I'm doing that from our Angular application, every time I call our API. This works fine, until the initial token acquired by logging in has expired. Added this to my question as well, thanks.Boland
What is the complete list of scopes you are requesting?Marc LaFleur
@MarcLaFleur just openid. Believe MSAL.JS is adding profile. We're only using it to authenticate a user and get e.g. object ID. I'm still unsure why it works fine for logging in, but not for refreshing tokens.Boland
Can you provide an example token? I believe MSAL should be adding the offline_access scope when using OpenID but I may be mistaken. Regardless, the JWT should include the offline_access scope, otherwise AAD won't provide a refresh_token. If that happens, it would explain why it fails to refresh properly.Marc LaFleur

1 Answers

5
votes

The reason you're unable to refresh the token is that the Microsoft Authentication Library for JavaScript (MSAL.js) only supports the OAuth Implicit Grant.

OAuth Implicit Grants, by design, do not support/return a Refresh Token:

The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.

In order to get a Refresh Token, you'll need to authenticate using the Authorization Code Grant. This will require some work on your backend to capture the Authorization Code and convert it into the Access and Refresh Tokens.