[Bug] New version of the library does not support Azure B2C 2.0 Authority

[andkorsh]

Library version used

4.56

.NET version

net8-windows

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

We are using MSAL.net in windows app connected to Azure B2C authority.

Before 4.56 it worked either by using .WithB2CAuthority(authority), or .WithExperimentalFeatures().WithOidcAuthority(authority) - both worked correctly with Azure B2C authority with format https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.

Please notice that our B2C authority has 'v2.0' in it, which corresponds to requestedAccessTokenVersion configuration in B2C app reg manifest:

After version 4.56, neither of the options work, because:

1. WithB2CAuthority doesn't work for us, since it expect the authority in the format of https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/{policy} which, as I understand, is the old format. The .well-known/openid-configuration from that authority publishes the issuer as https://{tenant}.b2clogin.com/{tenant-guid}/ however when the token is issued, it will have iss claim of https://{tenant}.b2clogin.com/{tenant-guid}/v2.0/ since requestedAccessTokenVersion is set to 2 in app manifest, effectively making the token invalid altogether. Downgrading the manifest value is not possible either:

If attempted to use WithB2CAuthority() and pass the 2.0 authority URL https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/, MSAL would navigate to /v2.0/oauth/v2.0/ which is incorrect URL and will therefore yield error 404. This has been reported multiple times, with users being advised to use the older /tfp/ URL:

• Need ability to have more than 3 path segments in B2C authority URI #3842
• [Bug] Url for getting token from B2C is wrong, causes 404 #4392

2. WithExperimentalFeatures().WithOidcAuthority doesn't work either since the new issuer validation doesn't allow it:

Microsoft.Identity.Client.MsalServiceException: 'Issuer validation failed for authority: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/ . Issuer from OIDC endpoint does not match any expected pattern: https://{tenant}.b2clogin.com/{tenant-guid}/v2.0/ . '

Therefore, currently there is no configuration under which Azure B2C 2.0 would be supported by MSAL.NET.

Relevant code snippets

Expected behavior

The new (non-tfp) b2c authority URL should be properly supported.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[bgavrilMS]

tfp is just a placeholder for MSAL to know this is a B2C authority. You don't have to change anything on your end.
@Avery-Dunn - maybe it's better to fix this for B2C as well?

[andkorsh]

@bgavrilMS Thank you for the clarification! What I have tried before was:

• https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/
• https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/{policy}/

But what I haven't tried, and what apparently works, is:

• https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/{policy}/v2.0/

Having both tfp and v2.0 in the authority URI seems to have done the trick, WithB2CAuthority now accepts this URI and the issued token has the correct v2.0 issuer scope.

I believe this solves my problem, thanks again! Not sure if there is anything to fix, except for maybe some documentation/comments.

[bgavrilMS]

Thanks for confirming @andkorsh