Azure AD B2C - MSAL JS - Refreshing token yields AADB2C90055

Question

We're using Azure AD B2C to authenticate users, via our API. Both Client (Angular 2) and API have the same Client ID.

This all works fine. As scopes I've defined openid.

However, when calling AcquireTokenAsync after being logged in for more than the expiration time, I'm now getting this error:

"AADB2C90055: The scope 'openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.

I'm calling this method from our Angular application; we're using MSAL.JS. So, it's working fine within the token expiration time (default 60 minutes), but after 60 minutes I'm starting to get this error.

Exactly the same issue as error 1 here: Azure AD B2C Token Issue

Is this a bug in MSAL JS or is our set up incorrect? I'm aware I could have created a separate client ID for our API, but this is working fine for logging in, so I have not bothered. Our API just needs to know the user name, email, etc.

Answer 1

The reason you're unable to refresh the token is that the Microsoft Authentication Library for JavaScript (MSAL.js) only supports the OAuth Implicit Grant.

OAuth Implicit Grants, by design, do not support/return a Refresh Token:

The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.

In order to get a Refresh Token, you'll need to authenticate using the Authorization Code Grant. This will require some work on your backend to capture the Authorization Code and convert it into the Access and Refresh Tokens.