p parameter is not being passed in each flow through the passport.js library

[brandwe]

As hinted at by the developer in this code comment: https://github.com/AzureAD/passport-azure-ad/blob/master/lib/oidcstrategy.js#L1135, we have to pass the p parameter in each flow so that the right code (https://github.com/AzureAD/passport-azure-ad/blob/master/lib/oidcstrategy.js#L375) gets invoked at every auth flow. Right now it is not being passed after the first call to the library and so the metadata endpoint reverts to the old (non-policy) metadata URL

You can see this by using a B2C tenant and turning on logging level to info:

[2016-09-01T16:43:01.717Z]  INFO: AzureAD: OIDC Passport Strategy/8046 on brandons-mbp.guest.corp.microsoft.com: B2C: Found a policy inside of the login request. This is a B2C tenant!
[2016-09-01T16:43:01.718Z]  INFO: AzureAD: OIDC Passport Strategy/8046 on brandons-mbp.guest.corp.microsoft.com: B2C: New Metadata url provided to Strategy was:  https://login.microsoftonline.com/isasample.site/v2.0/.well-known/openid-configuration?p=B2C_1_node_signin&x-client-SKU=passport-azure-ad&x-client-Ver=2.0.1
[2016-09-01T16:43:01.718Z]  INFO: AzureAD: OIDC Passport Strategy/8046 on brandons-mbp.guest.corp.microsoft.com: Parsing Metadata:  https://login.microsoftonline.com/isasample.site/v2.0/.well-known/openid-configuration?p=B2C_1_node_signin&x-client-SKU=passport-azure-ad&x-client-Ver=2.0.1

But then later in the same session:

::1 - - [01/Sep/2016:16:43:02 +0000] "GET /login/?p=B2C_1_node_signin HTTP/1.1" 302 0 "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50"
[2016-09-01T16:43:06.718Z]  INFO: AzureAD: OIDC Passport Strategy/8046 on brandons-mbp.guest.corp.microsoft.com: Parsing Metadata:  https://login.microsoftonline.com/isasample.site/v2.0/.well-known/openid-configuration?x-client-SKU=passport-azure-ad&x-client-Ver=2.0.1```

[lovemaths]

This is not the cause. I debugged the oidc b2c sample for the implicit flow, we indeed have the 'p' in the 302 response. The req.query itself has 'p' parameter so we don't add one (https://github.com/AzureAD/passport-azure-ad/blob/master/lib/oidcstrategy.js#L1151) .

  if (req.query.p) {
      location = `${config.authorizationURL}&${querystring.stringify(params)}`;  //<=== authorizationURL already has 'p=xxx'
  } else {
      location = `${config.authorizationURL}?${querystring.stringify(params)}`;
  }

My experiments shows the kid in metadata with 'p' is the same regardless of the policy, but it is different from the kid in metadata without 'p'. The real problem is that the incoming request with token from AAD (POST with id_token in the body) doesn't have the 'p' param (even if we provided 'p' in the previous authentication request, and the token is for some specific policy 'p'), so oidcstrategy fetches the metadata without 'p', therefore the kid in metadata and kid in id_token don't match.

[lovemaths]

It seems the 'acr' in id_token payload is the policy name.

[ghost]

Has this issue been resolved? If yes, please point me to the solution.
Also, I get the error: 'No email found' when I don't get any of the other errors. I tried to decode the token and saw that the claims do not include a email field, despite the account in the AD having one. There is no mention of the policy name in the token as well. Is there any solution to this issue I am facing?

[lovemaths]

@TejaK1 We fixed the issue in 3.0.0, please check it out. The updated B2C sample is here: https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIDConnect-NodeJS