Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B2C _issuer URL is incorrect - perhaps an old reference #19

Open
jimma72 opened this issue Aug 14, 2023 · 3 comments
Open

B2C _issuer URL is incorrect - perhaps an old reference #19

jimma72 opened this issue Aug 14, 2023 · 3 comments

Comments

@jimma72
Copy link

jimma72 commented Aug 14, 2023

Hi.

@cmatskas , thanks for the great work on the fastapi_microsoft_identity and your associated training on TalkPython. I have managed to get access tokens working with B2C and FastAPI but was stumped for a while with 401 errors. Having worked through it and got the module to work correctly I thought I would mention it to you for an update or comment.

This is the original code in auth_service.py

    if token_version == "1.0":
        _issuer = f'https://{b2c_domain_name}.b2clogin.com/tfp/{tenant_id}/{b2c_policy_name}/v2.0/'.lower()
    else:
        _issuer = f'https://{b2c_domain_name}.b2clogin.com/{tenant_id}/v2.0/'.lower()
    try:
        payload = jwt.decode(
            token,
            rsa_key,
            algorithms=["RS256"],
            audience=client_id,
            issuer=_issuer
        )

However, when checking the access token being presented by a valid call, I noticed the version 1.0 token does not match the code above and is being presented as the second URL. By replacing the first URL with the second URL the token is accepted and operates as expected. Adjusted code below:

    if token_version == "1.0":
        _issuer = f'https://{b2c_domain_name}.b2clogin.com/{tenant_id}/v2.0/'.lower()
        #_issuer = f'https://{b2c_domain_name}.b2clogin.com/tfp/{tenant_id}/{b2c_policy_name}/v2.0/'.lower()
    else:
        _issuer = f'https://{b2c_domain_name}.b2clogin.com/{tenant_id}/v2.0/'.lower()
    try:
        payload = jwt.decode(
            token,
            rsa_key,
            algorithms=["RS256"],
            audience=client_id,
            issuer=_issuer
        )
@jimma72
Copy link
Author

jimma72 commented Aug 14, 2023

Add to this the trailing '/' at the end of the _issuer lines did not exist and causes the request to fail. This is fixed in the code above.

@lsmith77
Copy link
Contributor

I have noticed the same thing, ie. the 1.0 URLs for issuer are incorrect.

@sslivins
Copy link

as an alternative (after spending waaaay too much time tracking down the issue) there is a setting in your azure portal to change the format of the iss in your token:

go to: Azure AD B2C->User Flows->[pick your flow]->properties->Token compatibility settings->Issuer (iss) claim and switch it to the one the contains your flow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lsmith77 @sslivins @jimma72