Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid

[Alienroid]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Blazor WASM AADB2C template's fetchdata will fail after enter credentials. The error shows 401 Unauthorized in the console. Look at the requests. ID token and Access token were received with correct scp. The response header shows www-authenticate: Bearer error="invalid_token", error_description="The issuer '(null)' is invalid". However the issuer is present in the request and not null.

One thing I did observe, in the documentation
it shows: "iss": "https://mysiteb2c.b2clogin.com/5cc15ea8-a296-4aa3-97e4-226dcc9ad298/v2.0/",

however, the one I received in the id token is like:
"iss": "https://mysiteb2c.b2clogin.com/tfp/[guid]/b2c_1_signin_signup/v2.0/",

Expected Behavior

Able to access the data requested

Steps To Reproduce

1. follow instructions from https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-6.0
2. run the app
3. click on Fetch Data
4. enter credentials
5. call will fail. inspect to see that it received 401 unauthorized. on network tab, it shows received both id token and access token. look at the request it shows response header: www-authenticate: Bearer error="invalid_token", error_description="The issuer '(null)' is invalid"

Exceptions (if any)

No response

.NET Version

6.0.0

Anything else?

No response

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[guardrex]

The docs have been updated for ASP.NET Core 6.0 but not necessarily for Microsoft Identity Platform changes that would only call for doc updates to address. Walking the guidance with 6.0 test apps is scheduled for 22H1. @javiercn, let me know if you'd like me to see if I can repro @Alienroid's report. 👂 If so, I'll get back to you within a day or two.

[Alienroid]

Thanks Luke. I am suspecting it is due to access token version is set to 2 in the manifest and the sample in the doc is probably access token version 1 (in terms of iss format). I’ll look into it more. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

…

________________________________ From: Luke Latham ***@***.***> Sent: Monday, January 10, 2022 6:09:56 AM To: dotnet/aspnetcore ***@***.***> Cc: Alienroid ***@***.***>; Mention ***@***.***> Subject: Re: [dotnet/aspnetcore] Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid (Issue #39401) The docs have been updated for ASP.NET Core 6.0 but not necessarily for Microsoft Identity Platform changes that would only call for doc updates to address. Walking the guidance with 6.0 test apps is scheduled for 22H1. @javiercn<https://github.com/javiercn>, let me know if you'd like me to see if I can repro @Alienroid<https://github.com/Alienroid>'s report. 👂 If so, I'll get back to you within a day or two. — Reply to this email directly, view it on GitHub<#39401 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH3FBMRO4YPB2PFHKHYCQJTUVLSDJANCNFSM5LTBWAZA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[guardrex]

I don't think that's it. I checked my last working config (5.0-era), and it's ...

"accessTokenAcceptedVersion": 2,

[Alienroid]

ok. I am just suspecting it because it's an iss issue and looks like in the document is at https://.b2clogin.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/ and what I got was "https://.b2clogin.com/tfp/[guid]/b2c_1_signin_signup/v2.0/",

[guardrex]

Just the .b2clogin.com alone looks like a botched app generation. Nevermind ... I see that you cited earlier mysiteb2c. .... Anyway ... Did you use the CLI (as the topic shows) or did you use VS's built-in New Project gesture with ✨ magical Azure config ✨? ... and/or did you compare the server and client config from the topic to your app ... are you saying the config (the two appsettings.json files) is exactly the same?

[Alienroid]

Cli dotnet new blazorwasm -au IndividualB2C --aad-b2c-instance "{AAD B2C INSTANCE}" --api-client-id "{SERVER API APP CLIENT ID}" --app-id-uri "{SERVER API APP ID URI}" --client-id "{CLIENT APP CLIENT ID}" --default-scope "{DEFAULT SCOPE}" --domain "{TENANT DOMAIN}" -ho -o {APP NAME} -ssp "{SIGN UP OR SIGN IN POLICY}" I also tried from vs new project. I can try that again. I am comparing vs my older (working) projects and the new project’s access token’s iss does look different. Also oid is there. My old ones doesn’t have that. I’ll do more research on my side. Thanks again. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows From: Luke ***@***.***> Sent: Monday, January 10, 2022 10:37 AM To: ***@***.***> Cc: ***@***.***>; ***@***.***> Subject: Re: [dotnet/aspnetcore] Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid (Issue #39401) Just the .b2clogin.com alone looks like a botched app generation. Did you use the CLI (as the topic shows) or did you use VS's built-in New Project gesture? — Reply to this email directly, view it on GitHub<#39401 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH3FBMVNJZ2T7L3VX24477TUVMROVANCNFSM5LTBWAZA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[guardrex]

Ok. I'll stand-by to hear from Javier if he thinks that I should walk the topic and try to repro what you're seeing. There was a problem with VS 2017 generating the right config, and I haven't confirmed yet if VS 2022 works correctly. That's part of the planned updates to the guidance, if we continue to maintain it given that Azure docs now have versions of some of these scenarios.

[Alienroid]

I don’t think it’s something wrong with the code now. I just replaced the aadb2c config numbers from my old projects and it generated the iss properly. Somehow the iss passed back in the tokens is in different format. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

…

________________________________ From: Luke Latham ***@***.***> Sent: Monday, January 10, 2022 11:04:37 AM To: dotnet/aspnetcore ***@***.***> Cc: Alienroid ***@***.***>; Mention ***@***.***> Subject: Re: [dotnet/aspnetcore] Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid (Issue #39401) Ok. I'll stand-by to hear from Javier if he thinks that I should walk the topic and try to repro what you're seeing. There was a problem with VS 2017 generating the right config, and I haven't confirmed yet if VS 2022 works correctly. That's part of the planned updates to the guidance, if we continue to maintain it given that Azure docs now have versions of some of these scenarios. — Reply to this email directly, view it on GitHub<#39401 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH3FBMXQTUP5N6GB6JXNALTUVMUULANCNFSM5LTBWAZA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[Alienroid]

Please close this issue. I used my existing directory/aadb2c data and it works. I've created a new directory and it looks like by default the user flow iss claim is set to be the incorrect one. What I found out: In user flow, the Sign up Sign in flow's properties: Token compatibility settings' issuer (iss) claim drop down is incorrectly selected to be: https://<domain>/tfp/[guid]/[sign up sign in policy/v2.0. Correct one should be: https://<domain>/[guid]/v2.0/

…

-changing this will generate correct token however the site would still fail to load. I've cleared cache and everything. -create another sign up sign in flow will now have correct iss claim drop selected by default. -using this newly created user flow will yield correct results. Thanks for the response. Hopefully others won't run into similar issues and waste hours on this. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

________________________________ From: Jason Chen ***@***.***> Sent: Monday, January 10, 2022 2:56:19 PM To: dotnet/aspnetcore ***@***.***>; dotnet/aspnetcore ***@***.***> Cc: Mention ***@***.***> Subject: RE: [dotnet/aspnetcore] Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid (Issue #39401) I don’t think it’s something wrong with the code now. I just replaced the aadb2c config numbers from my old projects and it generated the iss properly. Somehow the iss passed back in the tokens is in different format. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

________________________________ From: Luke Latham ***@***.***> Sent: Monday, January 10, 2022 11:04:37 AM To: dotnet/aspnetcore ***@***.***> Cc: Alienroid ***@***.***>; Mention ***@***.***> Subject: Re: [dotnet/aspnetcore] Blazor WASM AADB2C template fetchdata failed due to The issuer '(null)' is invalid (Issue #39401) Ok. I'll stand-by to hear from Javier if he thinks that I should walk the topic and try to repro what you're seeing. There was a problem with VS 2017 generating the right config, and I haven't confirmed yet if VS 2022 works correctly. That's part of the planned updates to the guidance, if we continue to maintain it given that Azure docs now have versions of some of these scenarios. — Reply to this email directly, view it on GitHub<#39401 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH3FBMXQTUP5N6GB6JXNALTUVMUULANCNFSM5LTBWAZA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[MackinnonBuck]

Closing this out. Glad you were able to solve the problem!