acr claim is null for the Active Directory B2C JWT token acquired using Angular SPA

1
votes

I downloaded here from GITHUB an Azure Sample for using Azure Active Directory B2C (ADB2C) in Angular. Please consider that ADB2C on Azure Portal has been successfully configured by me and is able to interact with my Angular application. Infact I'm happily able to sign-up a new user without problem.
But, once I signin, it always returns the following message:

Password has been reset successfully. Please sign-in with your new password

I tryied to reset the password, but I always receive the same. I inspected the Microsoft Code and I discovered this line:

  if (success.idToken.claims['acr'] !== b2cPolicies.names.signUpSignIn) {
    window.alert("Password has been reset successfully. \nPlease sign-in with your new password");
    return this.authService.logout()
  }

I investigated a little bit further and I realized that the generated ADB2C JWTToken is missing the "acr" claim. And here, on Microsoft Official Documentation, they wrote:

Used only with older policies. So I'm wondering:

  1. Is "acr" claim mandatory?
  2. Can I comment out the line without affecting the stability? The application seems work and the returned JWT is well formed
  3. Why the GitHub code is using this weired condition? I will open an issue than..

Thanks

1
angularazurejwtazure-ad-b2cbearer-token

1 Answers

0
votes

Got it sorted out. I quote the answer that Derisen (the author) reply to me here on GitHub:

  1. acr claim is only required if you need to use password reset flow. For newer policies, its equivalent is tfp (let me know if you don't have that claim in your token).
  2. you can certainly do that, if you don't need password reset flow.

And I realized that on Azure Portal, in the ADB2C section, you can change the setting:

enter image description here