Invalid issuer in discovery document expected: angular-oauth2-oidc with Azure B2C
Currently I'm developing an Angular2 App and want to use a B2C Tenant for authentification. It does not works because I get an error:
Invalid issuer in discovery document expected:
The setup and configuration is exact as in https://github.com/manfredsteyer/angular-oauth2-oidc described.
In the given example following function is used:
private configureWithNewConfigApi() {
this.oauthService.configure(authConfig);
this.oauthService.tokenValidationHandler = new JwksValidationHandler();
this.oauthService.loadDiscoveryDocumentAndTryLogin();
}
Unfortunately, loadDiscoveryDocumentAndTryLogin does not work for me because for Azure B2C I need to add another URI with additional parameter (policy). So I tried the "old" function loadDiscoveryDocument
The new Code looks like:
private configureWithNewConfigApi() {
this.oauthService.configure(authConfig);
this.oauthService.tokenValidationHandler = new JwksValidationHandler();
//this.oauthService.loadDiscoveryDocumentAndTryLogin();
const result = this.oauthService.loadDiscoveryDocument(
'https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin_signup')
.then(() => {
console.log('b2c discovery loaded');
this.oauthService.tryLogin({});
}).catch(() => {
console.error('b2c discovery load error');
});
}
Here is the first part of the function:
public loadDiscoveryDocument(fullUrl: string = null): Promise<object> {
return new Promise((resolve, reject) => {
if (!fullUrl) {
fullUrl = this.issuer || '';
if (!fullUrl.endsWith('/')) {
fullUrl += '/';
}
fullUrl += '.well-known/openid-configuration';
}
Here is the function from the github example:
public loadDiscoveryDocumentAndTryLogin() {
return this.loadDiscoveryDocument().then((doc) => {
return this.tryLogin();
});
}
loadDiscoveryDocument validates the document:
if (!this.validateDiscoveryDocument(doc)) {
this.eventsSubject.next(new OAuthErrorEvent('discovery_document_validation_error', null));
reject('discovery_document_validation_error');
return;
}
The issue is within the validateDiscoveryDocument and B2C
The reason is first part of the function:
if (doc['issuer'] !== this.issuer) {
console.error(
'invalid issuer in discovery document',
'expected: ' + this.issuer,
'current: ' + doc['issuer']
);
return false;
}
B2C issuer is:
issuer: 'https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/',
Hint: myportalb2c is not the real portal. If I call the standard URI or with my policy (fullUrl) the issuer in the response document is different than in URI. Seems a part of the URI is replaced by a GUID
"issuer": "https://login.microsoftonline.com/GUID/v2.0/", "authorization_endpoint": "https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_signin_signup", "token_endpoint": "https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signin_signup"
**https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/
!=
https://login.microsoftonline.com/GUID/v2.0/**
Does someone have the same situation and found a workaround? What is the reason that the issuer in the document is different?
I tried also following package:
https://github.com/vip32/angular-oauth2-oidc-b2c
I works in general, but sometimes I need to Login several times in the application that finally I'm logged in.
Thanks in advance for your support!
Answer
I was facing the same issue but when I passed strictDiscoveryDocumentValidation as false then it solved my problem
in the AuthConfig, Please set
strictDiscoveryDocumentValidation: false