HC 12.16 #/oauth includes fragment which is not an allowable redirect uri for Azure AD B2C

[eginwong]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

The effect: the access token is not able to be fetched from BCP because the redirect uri is not in the allowable list of uris as configured by Azure AD B2C.

We are using Azure AD B2C and it does not allow having the # symbol in the allowed redirect uris, specifically when the signinaudience is AzureADandPersonalMicrosoftAccount for the oauth2 implicit flow.

And if we can't put the #/oauth uri in the allowed redirect uri list, Azure AD will not allow BCP to receive the token.

Image of the Azure AD B2C error

Affects HC 12.16, but not 12.15.* due to new major version of BCP.

Steps to reproduce

1. Boot up a C# project running 12.16 of HotChocolate.
2. Navigate to the graphql endpoint and try to authenticate by clicking the gear icon.
3. Under authentication, select OAuth2 -> Implicit.
4. Note that the Redirect URL is hardcoded and not allowed to be changed.

Using Azure AD B2C App Registration, the redirect uri cannot contain a fragment uri if the signinaudience value is AzureADandPersonalMicrosoftAccount. If it is AzureADMyOrg, then the fragment uri is acceptable.

Allowed settings for signinaudience: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount

Relevant log output

No response

Additional Context?

As per discussion in #announcements on Jan 6, 2023.

Product

Hot Chocolate

Version

12.16.*

[zyofeng]

This affects Authorization Code flow as well due to redirectUrl being the same

Is there any way to config the redirect?

[PascalSenn]

we plan to also allow /graphql/oauth which would help. But the redirect urls must be on the same endpoint. otherwise BCP cannot capture it. At the moment we use the # routing because it is the most flexible.

[zyofeng]

Is there an interim solution while we wait for the change? Any ETA?

[onionhammer]

Hmm yeah I was wondering why this suddenly stopped working.

@PascalSenn This does not feel like an enhancement, it's a regression.

[PascalSenn]

@onionhammer One thing that I don't quite understand is how this worked for you previously on the web. I mean, we opened up a popup for authroization, then we redirected you to the IDP. After the redirection, the reference to the window should have lost control because of a change in origin. This is a standard security measure implemented by browsers. I am confused as to how you were able to observe the window of another origin.

[onionhammer]

@PascalSenn I'm not sure exactly what you're asking.. Not sure where the Banana Cake Pop source is (if it's open source), but I assume at some point the "#/oauth" was added to the redirect URL for OAuth, and in the B2C settings if you leave the authorized redirect URLs as "youraddress/graphl/" without the "#/oauth", the 'fetching' will just spin forever after you successfully log in, never actually retrieving the bearer token from the auth window.

Adding "#/oauth" as an authorized redirect URL is not permitted in B2C.

What we used to do is open BCP at localhost/graphql/, and the redirect url used to just be localhost/graphql/, which worked just fine with B2C, then at version 12.16+, BCP's expected redirect url was changed to localhost/graphql/#/oauth and that broke things.

[onionhammer]

Was hoping that the desktop version didnt have this issue, but it looks like there's no redirect path at all? is there a workaround for this other than using postman?

[PascalSenn]

@onionhammer See this

What we used to do is open BCP at localhost/graphql/, and the redirect url used to just be localhost/graphql/, which worked just fine with B2C, then at version 12.16+, BCP's expected redirect url was changed to localhost/graphql/#/oauth and that broke things.

surpises me. This must be a special case for the local host origin. After using  window.open , the reference to window.href should no longer be accessible.

Was hoping that the desktop version didnt have this issue, but it looks like there's no redirect path at all? is there a workaround for this other than using postman?

The redirect URL is not specified in the desktop app because there we have more options. In other words, you can pick any redirect URL and it will work.


We are currently testing a fix for the web version. If everything goes well, it will be available in the next BCP version next week.

[bartdebever]

Is there any update on this issue? I assume not everything went well and the release is delayed but not being able to work with BCP when using Azure AD is a shame, the OAuth integration was great and sets BCP apart from other Playgrounds.

[mdddev]

I'm also having problems with OAUTH2 and the Implicit mode using Microsoft Entra External ID (sucessor to B2C). On trying to fetch a token, a new BCP window opens, which has the access_token stuck in the URL, like https://localhost:7029/graphql/#access_token=eyJ0eXAiOiJKV1Q....... If inspected with https://jwt.ms te token is valid and it is also accepted by my backend. Still, the functionality seems not working, as I would expect that I woud NOT need to manually copy the token from the URL, switch to Bearer auth mode and paste the token there....