Problem with Authentication

[hihelloluigi]

Hi :)
I'm new with Azure B2C. I followed the indication on web site (https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant) on how to create a azure b2c. Now I wanna implement it in my iOS and Android applications. I started with iOS and with this MSAL library. I followed the readme and I put my tenant fields in example variables.

I have some doubts:

• What do I have to insert in kGraphURI & kScopes if I haven't any backend REST API?
• When I run the code the first log is:

Unable to create application Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=The required query schemes "msauthv2" and "msauthv3" are not registered in the app's info.plist file. Please add "msauthv2" and "msauthv3" into Info.plist under LSApplicationQueriesSchemes without any whitespaces., MSALInternalErrorCodeKey=-42001}

So I added LSApplicationQueriesSchemes.

• In console after added the previous info in info.plist show:

%@ TID=2218501 MSAL 1.0.7 iOS Sim 13.3 [2020-02-05 17:40:28] Default app's access group: "Masked(not-null)". %@ TID=2218501 MSAL 1.0.7 iOS Sim 13.3 [2020-02-05 17:40:28] Using "Masked(not-null)" Team ID. %@ TID=2218501 MSAL 1.0.7 iOS Sim 13.3 [2020-02-05 17:40:28] Init MSIDKeychainTokenCache with keychainGroup: Masked(not-null)

Is that correct?

And finally when I tried to authorize, the app open a web view with the correct page I insert the credentials but return NO token and this error:

Could not acquire token: Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=Authentication response received without expected accessToken, MSALInternalErrorCodeKey=-42008, MSALCorrelationIDKey=0561E37D-1D5C-4B12-9862-6D9CC4798CB6}

But I think that is caused from some configurations errors.

PS: Is it possible to implement a custom native UI for signup, login ecc... without open a web view? If the answer is YES, how can I find some tutorial o guide?

Thank you very much!!

[jennyf19]

@mo3bius I know for .NET, developers have to send us a scope value. I'm not sure for Obj-C, but @oldalton can answer that for us. If you don't care about configuring an API, then just use "user.read" as the scope value, I know this works for apps registered with AAD, but not sure for AAD B2C (@valnav do you know if this is the case?).

Because you're not sending in a scope, you're not getting an AccessToken back. In the AAD case, sending in user.read will get you an AT for graph. B2C is slightly different however.

[valnav]

B2C apps need the offline_access and openid scopes. In the new app registrations (preview), this is selected by default during the registration of the app. See highlighted in the image

[hihelloluigi]

user.read

I tried to insert let kScopes: [String] = ["user.read"] // This is a scope that you've configured your backend API to look for. but show me this error message:

Could not acquire token: Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=AADB2C90117:+The+scope+'user.read'+provided+in+the+request+is+not+supported. Correlation+ID:+1752abff-5f82-4683-b8c3-11f139a5fb06 Timestamp:+2020-02-07+16:47:46Z , MSALOAuthErrorKey=invalid_request, MSALInternalErrorCodeKey=-42002}

[hihelloluigi]

B2C apps need the offline_access and openid scopes. In the new app registrations (preview), this is selected by default during the registration of the app. See highlighted in the image

I selected this flag on Azure but I don't understand what I have to insert in:
let kScopes: [String] = ["https://fabrikamb2c.onmicrosoft.com/helloapi/demo.read"] // This is a scope that you've configured your backend API to look for. of swift code.

Because in this moment I don't have any API to connect (I just want a token back from B2C) and if I try to insert: "user.read" or "opened" or "offline_access"

let kScopes: [String] = ["user.read"]
let kScopes: [String] = ["opened"]
let kScopes: [String] = ["offline_access"]

Give me an error like I said in previous response.

[agentsim]

Were you able to figure out how to request the user.read scope? I'm having the same problem.

[oldalton]

Unfortunately we don't support cases where no access token is returned right now. I've filed a feature request for this here: AzureAD/microsoft-authentication-library-for-objc#852

1. In the meantime, you can configure your own "dummy" Web API and a scope. Try following:

Select your Web API registration (create one if needed) -> Go to “Published scopes” -> Add user.read scope -> Go to “API access” -> Select “Add” and select your “user.read” scope in the popup

Now go to “Properties” -> Check App ID URI

Copy App ID Uri and append “user.read” to it

So if App ID uri is “https://iosmsalb2c.onmicrosoft.com/test”, scope would be "https://iosmsalb2c.onmicrosoft.com/test/user.read” 

Pass scope to MSAL

2. Another thing you can do, is pass your clientId that you're using to create MSALPublicClientApplication as your scope.

[nguyenhuutinh]

yes, the guideline is very confused to follow.
should make more clearly about some parameter

[nguyenhuutinh]

and what should I fill for kGraphURI ? @oldalton

[oldalton]

If you are actually not calling any Web API from your client, feel free to ignore that section and you can also completely remove this function from your app: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal/blob/master/MSALiOSB2C/ViewController.swift#L270. This sample is meant to show client calling your own Web API on top of initial sign in.

[oldalton]

Closing this issue as stale. Please reopen if needed.

[mbondoso]

@oldalton I have already a webapp working with msal that currently is returning an id_token;
I tried to replicate the same approach when developing for iOS, which is the same as you suggested it above:
2. Another thing you can do, is pass your clientId that you're using to create MSALPublicClientApplication as your scope.

But the error is still the same, "Could not acquire token: Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=Authentication response received without expected accessToken"

can you give a little bit more input on this?

[oldalton]

@mbondoso, you'll need to create a "dummy" API like it is explained above.

Unfortunately we don't support cases where no access token is returned right now. I've filed a feature request for this here: AzureAD/microsoft-authentication-library-for-objc#852

1. In the meantime, you can configure your own "dummy" Web API and a scope. Try following:

Select your Web API registration (create one if needed) -> Go to “Published scopes” -> Add user.read scope -> Go to “API access” -> Select “Add” and select your “user.read” scope in the popup

Now go to “Properties” -> Check App ID URI

Copy App ID Uri and append “user.read” to it

So if App ID uri is “https://iosmsalb2c.onmicrosoft.com/test”, scope would be "https://iosmsalb2c.onmicrosoft.com/test/user.read” 

Pass scope to MSAL

1. Another thing you can do, is pass your clientId that you're using to create MSALPublicClientApplication as your scope.