acquireTokenSilent() returns an access token signed by the wrong key

Mark 1 Reputation point
2020-11-24T20:05:11.757+00:00

I have an SPA that uses MSAL (msal-browser@2.7.0) to authenticate against Azure AD B2C. I call loginRedirect() and everything works as expected. Once the redirect comes back, I save the account information in handleRedirectPromise() and then use acquireTokenSilent() to get an access token to use to call my backend API. This access token, however, is signed by a key that is not one of the keys listed in the JWK key document. I suspect, from research, that maybe I have been given an access token that is supposed to be used to call the MS Graph API, but I do not intend to call that API; I need an access token that can be used to call my backend API. I assume that something is simply misconfigured somewhere, but I've followed every bit of documentation that I can find (most of it is out of date, references MSAL 1.x), and nothing works.

My MSAL configuration is as follows:

const msalConfig = {
    auth: {
        clientId: '96582630-b045-4a92-b798-c1b7448335ad', // (not my real client id)
        authority: 'https://mytenant.b2clogin.com/tfp/mytenant.onmicrosoft.com/B2C_1_signupsignin1',
        knownAuthorities: ['https://mytenant.b2clogin.com/tfp/mytenant.onmicrosoft.com/B2C_1_signupsignin1'],
        redirectUri: 'http://localhost:3000'
    }
};

Login is done as follows:

const loginRequest: msal.RedirectRequest = {
    scopes: ["openid", "profile", "offline_access"],
    extraScopesToConsent: ["https://mytenant.onmicrosoft.com/backend-api/normal-things"]
};

msalInstance.loginRedirect(loginRequest);

Access token is obtained as follows:

let request: msal.SilentRequest = {
    scopes: ["openid", "https://mytenant.onmicrosoft.com/backend-api/normal-things"],
    account: accountInfo // (or null?)
};

msalInstance.acquireTokenSilent(request).then(tokenResponse => {
    accessToken = tokenResponse.accessToken;
}).catch(error => {
    if (error instanceof msal.InteractionRequiredAuthError) {
        // fallback to interaction when silent call fails
        return msalInstance.acquireTokenRedirect(request);
    } else {
        console.log(error);
    }
});

I filed an issue over at the MSAL GitHub repository (https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2645), they suppose it's an issue with B2C.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,917 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
    2020-11-24T21:40:53.147+00:00

    Hello @Mark , you might not be getting an access token at all. If you're please share it privately. If you're not then try requesting the access token during signin so that it's available in the MSAL token cache to be re-used silently. Please let me know if that works or if you need additional assistance. Also access token for MS Graph is not supported by B2C applications, only by Azure AD.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.