0

I have an SPA application and authenticate user into Azure AD-B2C via msal-browser.js.

The flow has two sequential calls:

  1. msalInstance.loginPopup(loginObj)
  2. msalInstance.acquireTokenSilent(tokenObject)

According to the document below, loginPopup should return an idToken and acquireTokenSilent an access_token.

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md.

No matter what I do, accessToken field is always empty.

I have tried the default and explicitly set permissions of an application in B2C, but it does not make any difference: accessToken is always empty.

const loginObj = {scopes: ["openid", "profile", "offline_access"]};

const tokenObject = {scopes:["openid","https://graph.microsoft.com/User.Read.All"]};

Can someone explain the reason?

PS: msal-browser.js v. 2.33

max3d
  • 1,437
  • 15
  • 16

2 Answers2

1

First you need to request a scope that points to some resource app registered in the directory, second, that resource app must be something you own, so it won’t work with user.read.all, since that’s a resource owned by Microsoft.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-spa-app

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thank you Jas Suri for pointing to the reason: there must be an exposed API, with permission to read, and SPA app needs to be granted a consent to use it. Step 2 in the manual describes the process of registering BOTH spa and api. I have got a working accessToken now, thank you very much! – max3d Mar 04 '23 at 12:11
0

There are few thigs that you should ensure

  1. Verify that your app is setup for PKCE flow. To ensure go to App registration --> authentication and check that you are suing SPA as your platform. Since you are using MSAL.js you need to have SPA as your platform
  2. Scope : Make sure you are passing scope when requesting for auth code i noticed that for loginObj you are passing openid, profile, offline_access as scope where as tokenObject has different scope. Try to make them consistent.
  3. This is very important, i see that one of your scope is https://graph.microsoft.com/User.Read.All. This scope requires admin consent, not sure if admin consent is granted or not. If Admin consent is not granted and you are requesting a access token with this scope then also it wont work.

Admin-consent-required

If this did not solve then if possible then share app registration manifest content. It can help us trouble shoot.

Hope this helps!

Rupesh Kumar prasad
  • 153
  • 10