OAuth2 implicit grant flow fails for Azure guest users

Question

I try to authorize Azure AD guest users to my web application through the MSAL library. Since it is an SPA, I'm using implicit grant flow. For "standard" users, the flow is OK. But for "guest" users (with personal addresses like "gmail"), it fails on getting obo token as described here :

https://github.com/Azure/azure-sdk-for-java/tree/2.3.5/sdk/spring/azure-spring-boot-starter-active-directory#authenticate-in-frontend

Message is :

{ "error": "invalid_grant",
  "error_description": "AADSTS500341: The user account <user_account> has been deleted from the <tenantId> directory. To sign into this application, the account must be added to the directory.
}

I isolated the http request to bypass MSAL magic (it fails on /oauth2/token request):

enter image description here

I just wonder if guest users could be authorized with this flow or if there is another way to authorize them.

score 0 · Answer 1 · answered Feb 16 '21 at 05:41

thank you for sharing the query. An Azure AD B2B user (gmail user) can go ahead and successfully fetch an access-token from AAD, using an Implicit Flow. You can use the following request to achieve the same:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}&response_type=token&redirect_uri={redirect-uri}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=form_post&state=12345&nonce=678910

Now what I am confused with is the following statement "it fails on web api token validation as described here." and also the screenshot you attached is using OBO flow and not implicit flow.

So, is it like:

You get a token using implicit flow for a user
After that, you send that token to lets say API-1
Then API-1 does OBO flow and tries to get another token for another api lets say API-2

While doing step 3 it fails?

If this is the scenario, then please check the following section "As of May 2018, some implicit-flow derived id_token can't be used for OBO flow. Single-page apps (SPAs) should pass an access token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see limitations."

More details can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

If this is not the case, then please do share some more details around this so that we can understand the setup better.

Thanks for your comment. Yes i'm exactly in the case you described : https://github.com/Azure/azure-sdk-for-java/tree/2.3.5/sdk/spring/azure-spring-boot-starter-active-directory#authenticate-in-frontend. I read the limitations : there is no wildcard in my reply url. — mat, Feb 16 '21 at 08:37
Hello @mat, if the case described above is accurate, and if both the APIs support OAuth, then what you can do is: Step 1: Get an access token for API-1, for that you can use Auth-Code Grant flow/Implicit Grant flow in case of SPA. Step2: Once you have the access-token for API-1, then API-1 would make a call to the second API, i.e API-2 and in the assertion field of the request you can add the access-token, you received in the Step1. That should get you the access token for the second api i.e API-2. — SouravMishra-MSFT, Feb 16 '21 at 09:48
You can read more on On-Behalf-Of flow here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow — SouravMishra-MSFT, Feb 16 '21 at 09:49

unknown · Answer 2 · 2021-02-24T09:27:22.723

0

When using On-Behalf-Of flow, please follow the steps here. If requesting /token endpoint with id_token, it will return this error. The assertion should set with access token.

You use the On-Behalf-Of flow but not implicit grant flow in your issue.

Try to follow the steps with an invited user using implicit flow:

Add guest user in Azure AD

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal#add-a-new-guest-user-in-azure-ad

Navigate to Enterprise applications-> your application-> Users and groups

Request /authorize for token

You could login the user at the browser using the implicit flow.

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=https://graph.microsoft.com/user.read
&response_mode=fragment
&state=12345
&nonce=678910

My test result:

edited Feb 24 '21 at 09:27

answered Feb 16 '21 at 06:34

unknown

6,778
1
5
14

Thanks Pamela. Actually the "/authorize" request you mention is ok. It is retrieved successfully by my SPA when signing in. The process fails when my backend api tries to access AD graph with this token. – mat Feb 16 '21 at 08:26
FYI i'm on this use case : https://github.com/Azure/azure-sdk-for-java/tree/2.3.5/sdk/spring/azure-spring-boot-starter-active-directory#authenticate-in-frontend – mat Feb 16 '21 at 08:33
You use the OBO flow. Please see my answer [here](https://stackoverflow.com/a/65608406/13308381). You may request `/token` endpoint with id_token, so it will return this error. – unknown Feb 16 '21 at 08:45
Indeed my frontend sent id_token instead of access_token to my backend api. My stack is based on Angular on frontend part. It was due to a bad configuration of Angular MSAL module (specifically the protectedResourceMap property). The MSALInterceptor set a jwt token on each http request which is either the id_token or the access_token. access_token is choosed if the intercepted request matches one of protectedResourceMap url. There was a mismatch on some of my url (the match is handled with minimatch lib, so be careful to wilcard !). Thank you so much ! – mat Feb 17 '21 at 09:49
Hi, @mat. If my reply is helpful, please accept it as answer(click on the mark option beside the reply to toggle it from greyed out to fill in.), see https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – unknown Feb 24 '21 at 09:30

OAuth2 implicit grant flow fails for Azure guest users

2 Answers2