Invalid issuer in discovery document expected: angular-oauth2-oidc with Azure B2C

Question

Currently I'm developing an Angular2 App and want to use a B2C Tenant for authentification. It does not works because I get an error:

Invalid issuer in discovery document expected:

The setup and configuration is exact as in https://github.com/manfredsteyer/angular-oauth2-oidc described.

In the given example following function is used:

private configureWithNewConfigApi() {
  this.oauthService.configure(authConfig);
  this.oauthService.tokenValidationHandler = new JwksValidationHandler();
  this.oauthService.loadDiscoveryDocumentAndTryLogin();
}

Unfortunately, loadDiscoveryDocumentAndTryLogin does not work for me because for Azure B2C I need to add another URI with additional parameter (policy). So I tried the "old" function loadDiscoveryDocument

The new Code looks like:

private configureWithNewConfigApi() {
  this.oauthService.configure(authConfig);
  this.oauthService.tokenValidationHandler = new JwksValidationHandler();
  //this.oauthService.loadDiscoveryDocumentAndTryLogin();

  const result = this.oauthService.loadDiscoveryDocument(
    'https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin_signup')
    .then(() => {
      console.log('b2c discovery loaded');
      this.oauthService.tryLogin({});
    }).catch(() => {
      console.error('b2c discovery load error');
    });
  }

Here is the first part of the function:

public loadDiscoveryDocument(fullUrl: string = null): Promise<object> {

    return new Promise((resolve, reject) => {

        if (!fullUrl) {
            fullUrl = this.issuer || '';
            if (!fullUrl.endsWith('/')) {
                fullUrl += '/';
            }               
            fullUrl += '.well-known/openid-configuration';
        }

Here is the function from the github example:

public loadDiscoveryDocumentAndTryLogin() {
    return this.loadDiscoveryDocument().then((doc) => {
        return this.tryLogin();
    });
}

loadDiscoveryDocument validates the document:

if (!this.validateDiscoveryDocument(doc)) {
                    this.eventsSubject.next(new OAuthErrorEvent('discovery_document_validation_error', null));
                    reject('discovery_document_validation_error');
                    return;
                }

The issue is within the validateDiscoveryDocument and B2C

The reason is first part of the function:

 if (doc['issuer'] !== this.issuer) {
        console.error(
            'invalid issuer in discovery document',
            'expected: ' + this.issuer,
            'current: ' + doc['issuer']
        );
        return false;
    }

B2C issuer is:

  issuer: 'https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/',

Hint: myportalb2c is not the real portal. If I call the standard URI or with my policy (fullUrl) the issuer in the response document is different than in URI. Seems a part of the URI is replaced by a GUID

"issuer": "https://login.microsoftonline.com/GUID/v2.0/", "authorization_endpoint": "https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_signin_signup", "token_endpoint": "https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signin_signup"

**https://login.microsoftonline.com/myportalb2c.onmicrosoft.com/v2.0/
!=
https://login.microsoftonline.com/GUID/v2.0/**

Does someone have the same situation and found a workaround? What is the reason that the issuer in the document is different?

I tried also following package:

https://github.com/vip32/angular-oauth2-oidc-b2c

I works in general, but sometimes I need to Login several times in the application that finally I'm logged in.

Thanks in advance for your support!

Answer 1

I was facing the same issue but when I passed strictDiscoveryDocumentValidation as false then it solved my problem

in the AuthConfig, Please set

strictDiscoveryDocumentValidation: false

Answer 2

I was having simular issue with AzureAD 2.0 and here is what I manage to do.

As far as I know you can't relay on discovery document because AzureAD doesn't allow any domain to access this Json. I manage to authenticate, but I needed to set up all of the configuration manually. Refer to this issue and this issue. And one other relay important thing, if you need provide this token from Azure to your web API don't send access token instead send id token. More information about this is on this link

I don't now if this helps but it do the trick for me.

Answer 3

Unfortunatelly, Azure AD does not support CORS and that's why the lib can not load the discovery document. You can configure the lib manually (see the docs for this; the sample also demonstrates this with an alternative config method) or write an own rest service that supports CORS and delegates to the discovery endpoint of MS. In this case, you need to consider that the discovery document points to further documents esp the JWKS. This needs to be "tunneled" too in this case.