Error retrieving the current token in a Blazor application after successful authentication with Oidc client

[kbeaugrand]

Change response_type in signinSilent when getting the access_token

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Summary of the changes (Less than 80 chars)

Description

{Detail}

Fixes #39311

[javiercn]

why is the response type id_token in the first place?

[kbeaugrand]

I don't know if this is really needed at this place.
I'll test it.

[kbeaugrand]

After trying, if I remove the id_token from the signIn It will remove the id_token from the session's stored user...
I think this could be an issue...

To not create a side effect, I guess it is better to keep both id_token and access_token in the request ;)

[javiercn]

@kbeaugrand is there a reason why your response type is not code?

[kbeaugrand]

@javiercn , because this method should request for an access token, not an authorization code ...

[javiercn]

@kbeaugrand this method should request whatever is configured in the settings, it's not up to the library to change the response, changing the response type affects the security characteristics of the app.

id_token, access_token, what they do, is request for the tokens to be delivered by the authorization endpoint (implicit flows).

What tokens you get back is based on the scopes you request. At a minimum an access token to talk to your API, and optionally, in addition to that, an ID token to identify the user.

[kbeaugrand]

@javiercn, the issue mentioned, relates that by using the standard documentation, the Authentication is requesting the id_token;

The Blazor WebAssembly template automatically configures default scopes for openid and profile.

The Blazor WebAssembly template doesn't automatically configure the app to request an access token for a secure API. To provision an access token as part of the sign-in flow, add the scope to the default token scopes of the OidcProviderOptions. If adding authentication to an app, manually add the following code and configure the scope URI.

source: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-authentication-library?view=aspnetcore-6.0&tabs=visual-studio#access-token-scopes.

1. I' would be happy if by setting ProviderOptions.ResponseType to "id_token token" my client goes well to the authentication but this is not the case.

2. By using the BaseAddressAuthorizationMessageHandler, the program calls the getAccessToken method from AuthenticationService.

As I see in the code, there is condition, if the access token is present and has all the required scopes, it returns the access token. otherwise it will sign in silently.
If the access token is not present (because not requested) and we don't force to request the access token, we never will have that ...

I might not understand correctly the philosophy of this library and the solution might not be this one.

In your opinion, what should be the correct approach ?

[kbeaugrand]

@javiercn , nevermind, I got why getting the access token as part of the login doesn't work in my case...
In my case, I'm using OpenID connect with Azure AD B2C as the IdP.

AD B2C doesn't provide the user info endpoint and he oidc client used requires it ;(
It fails to perfom the sign in and validates the login but without any error message...

By changing the settings, I got my flow working (after disabling the loadUserInfo (see: https://github.com/IdentityModel/oidc-client-js/wiki#other-optional-settings)

After, that I can have my access token with the id_token.

[kbeaugrand]

I close this PR since it doesn't provide what I expected.

However, the documentation makes me some troubles, do you think this could be an opportunity to documentation that if the access token is required to authenticate to APIs, the developer should also change the reponse_type to add the token request as part of the sign in process ?