Authorization Code Flow

[rajeevchib]

We need to use Authorization Code Flow for existing ASP.Net Web Forms Application. We were trying to follow this sample.

This sample is using ResponseType - OpenIdConnectResponseType.CodeIdToken.

We were assuming that for using Authorization Code Flow, we need to use ResponseType Code, not CodeIdToken.

But if we change ResponseType to Code in UseOpenIdConnectAuthentication, we get following error:

AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 9bdf8e16-5395-4358-a21f-890631a05b00
Correlation ID: 7938070f-2b7b-4a17-898e-96184c770153
Timestamp: 2021-03-23 20:22:05Z

Also, In App Registration screen on Azure Portal, We have to select Access Tokens. I think that is not recommended for ASP.Net Web applications.

But If we deselect Access Tokens Option (as we don't want to use Implicit Flow), we get following error:

OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unauthorized_client'. Error_Description (may be empty): 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
Correlation ID: c9279b25-8857-414f-bf61-6e6ffcb10f5d
Timestamp: 2021-03-24 07:39:29Z
'. Error_Uri (may be empty): 'error_uri is null'.

Please suggest if we are missing some settings or configurations.

[Shama-K]

Current sample is web application that authenticates users and ResponseType = OpenIdConnectResponseType.CodeIdToken is hybrid flow. With hybrid flow response will contain code as well as an ID token. You can get more information here: Request an ID token as well (hybrid flow).
For hybrid flow to work, you need to select ID token in Authentication blade from Azure portal.

If you want to use ResponseType = OpenIdConnectResponseType.Code then you need to invoke AuthorizationCodeReceived and you can redeem the token using MSAL.NET.
More information about authorization code flow can be found here: Microsoft identity platform and OAuth 2.0 authorization code flow.

[rajeevchib]

Hi @Shama-K

Apologies for the late reply. We got engaged into some other work.

Thanks for giving link for hybrid flow.
Just wanted to confirm with you that hybrid flow does not involve any security risk with ASP.Net Web Forms application.

If we choose to use hybrid flow, then ResponseType to be set to CodeIdToken and both "Access tokens" and "ID tokens" check-boxes to be checked.
Is that assumption correct?

I understand that we need to select "ID tokens" checkbox, as we are using hybrid flow.
But still i am not understanding that why do we need to select "Access tokens" checkbox, when its explicitly specified that its for implicit flow.

Since, Hybrid flow is combination of Implicit and Authorization Code Flow. Is it the reason that we need to select "Access tokens" checkbox? If so, then the text should be including the hybrid flow.
We don't have any problem in selecting "Access Token" checkbox unless it introduces a security hole in our application.

Please suggest.

[jmprieur]

@rajeevchib : I don't think you need to check access tokens for AAD web apps that sign-in users (you do for B2C ones)

[rajeevchib]

Hi @jmprieur

Thanks for instant reply.
When I don't select Access tokens option on App Registration Page, I get following error in OnAuthenticationFailed callback:

Error Message
"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unauthorized_client'. Error_Description (may be empty): 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
Correlation ID: eb08127e-c40e-4ea3-a468-5ce32eef638f
Timestamp: 2021-05-17 12:19:36Z
'. Error_Uri (may be empty): 'error_uri is null'."

StackTrace
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__11.MoveNext()

Authorize Endpoint Request
https://geologixtechnosoftpvtltd.b2clogin.com/geologixtechnosoftpvtltd.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize?client_id=51423b29-80b0-47ba-99b2-943b20d492ff&redirect_uri=https%3A%2F%2Flocalhost%3A44357%2F&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DPWlRs1Cl52kUxTkIqoAx6ilsm21E_XZuBHoOZ1erBOuEZYK-geEoKbflEeKEhOW9EUVJxEkxYLp7jjY9FJCd77WGjBgZ6TdkG83AG0_92iGTHrttYbhJB9q3SmGF_QY_qpYPPO4FfcBwdB8wteWOv02iqkyUOKPjY_HC-deWd2wOR0IU6fM-AwHkSJQNkg06Ot7pWAivi3b21fNafBeRjQ&response_mode=form_post&nonce=637568507706246387.ZjY1N2U4MTQtODZkMi00NGI0LThjYzctMDliYjdhZTQ0MjVjMzE0MDMyYmEtNWIxYy00ZDNmLTg5ODctOWU1ZTk4NzY2YTNj&x-client-SKU=ID_NET472&x-client-ver=6.9.0.0

Please let me know if you need more details.

[rajeevchib]

Also, I realized that If I change Authorize Endpoint Request manually from response_type code%20id_token to code, then it works:

https://geologixtechnosoftpvtltd.b2clogin.com/geologixtechnosoftpvtltd.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize?client_id=51423b29-80b0-47ba-99b2-943b20d492ff&redirect_uri=https%3A%2F%2Flocalhost%3A44357%2F&response_type=code&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DPWlRs1Cl52kUxTkIqoAx6ilsm21E_XZuBHoOZ1erBOuEZYK-geEoKbflEeKEhOW9EUVJxEkxYLp7jjY9FJCd77WGjBgZ6TdkG83AG0_92iGTHrttYbhJB9q3SmGF_QY_qpYPPO4FfcBwdB8wteWOv02iqkyUOKPjY_HC-deWd2wOR0IU6fM-AwHkSJQNkg06Ot7pWAivi3b21fNafBeRjQ&response_mode=form_post&nonce=637568507706246387.ZjY1N2U4MTQtODZkMi00NGI0LThjYzctMDliYjdhZTQ0MjVjMzE0MDMyYmEtNWIxYy00ZDNmLTg5ODctOWU1ZTk4NzY2YTNj&x-client-SKU=ID_NET472&x-client-ver=6.9.0.0

Application State on Azure Portal