B2C does not always issue access token but TokenResponse assumes there is an access token resulting in a JSON parse error

[alex-mason-by]

Using MSAL4J library with B2C can result in a JSON parse error due to an assumption in TokenResponse that doesn't always hold with B2C and that assumption is that an access token is always returned. The refresh token has the same assumption although perhaps that is fine? In the case where MSAL4J is used for a server-side application login that needs no custom scope then no access token is returned and this code should not blow up on that scenario.

https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/main/java/com/microsoft/aad/msal4j/TokenResponse.java#L48
final AccessToken accessToken = AccessToken.parse(jsonObject);
final RefreshToken refreshToken = RefreshToken.parse(jsonObject);

[sangonzal]

@alex-mason-jdas Acknowledged, I am able to reproduce this error. Discussing possible solutions with the team, will update this issue once we have a ETA for a fix.

[sangonzal]

@alex-mason-jdas Can you please share details about the scenario where you are trying to acquire just an Id token and no access token or refresh token? Is there any reason why are not requesting the access/ refresh tokens?

[alex-mason-by]

That is the default behavior of B2C if there is no custom scope requested, so it would be a scenario that is just a sign in scenario (monolithic app perhaps). You can see indication in the provided link. I myself don't really agree with the implementation of B2C and think it ought to always return an access token, but it does not if there is no custom scope meaning that this application does not need to call some other web API resource. As far as refresh token, well that really depends on whether the nature of the application needs a longer life or not, doesn't it? In any case, I think you really need to discuss with the B2C team. I am just reporting the behavior since MSAL4J claims to support B2C and this is kind of a basic error. Perhaps the resolution is on the B2C side but it's one of the two and should not really be put back on the user of MSAL nor B2C.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc

[sangonzal]

@alex-mason-jdas Thanks for expanding.

I've had a chance to dig in a bit deeper and chat with the B2C team. They should be returning access tokens on all successful token responses. This is a bug on their end which they are now aware of.

We won't make any changes to MSAL. While they fix this problem, you can workaround this issue by including the client id of the application as a scope, which will cause B2C to then return an access token. I will leave this issue open until B2C fixes so if anybody else runs into this they can see the workaround.

[psidnell]

Hi, Thanks for the workaround, it instantly fixed the issue.

However, I'd like to suggest mentioning this issue prominently in the README, I downloaded the sample code days ago and and have been looking for errors in my ADD+B2C instance that didn't exist.

I have a couple of operational questions:

1. Is it known if this fix is a benign in the future - i.e. will it continue to work when the underlying B2C bug is fixed?
2. Does anyone have a reference to the underlying B2C bug so we can track it?

Thanks

[sangonzal]

@psidnell We will add a snippet to the README.

1. Yes I expect using client id will always work, otherwise it would break everyone who is doing so now.
2. I'm not aware of any other places where this is being tracked. I will continue to check up with the B2C team and update this issue accordingly.