0

I'm working on a Web API (ASP.Net, C#, Entity Framework) and I can't get user password reset and refresh tokens working. I have tried so many things and my boss is getting a bit nervous since I don't have any progress to show.

The important bit is that I have to use the ROPC flow because it is the only flow I can use without any browser-interaction. The goal is to have everything in my own client application, registration, sign-in/out and password reset.

Atm a registered user can sign in via an endpoint of my API. The sign-in code looks like the following:

IPublicClientApplication app = PublicClientApplicationBuilder.Create(_clientId)
                        .WithB2CAuthority(_authority)
                        .Build();

AuthenticationResult result = await app.AcquireTokenByUsernamePassword(_scopesRequiredByAPI,
                                   credentials.Email,
                                   credentials.Pwd).ExecuteAsync();

The result object I get in return does not include a refresh token and I don't understand where I can get one.

The other problem I have is password reset. How can a user reset their own password without any browser interaction? Is that not possible with the ROPC flow?

I'm very thankful for tips, suggestions and ideas.

ManuBera
  • 5
  • 4

1 Answers1

0

As per this:

When using the ROPC flow, consider the following:

ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).

ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.

Session Management, including keep me signed-in (KMSI), isn't applicable.

It does support refresh tokens. Are you using the offline_access scope?

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thank you so much for your quick reply! I suppose that means I have to setup another flow for password resetting that requires browser interaction, right? And concerning the refresh tokens, I use the following scopes (but I'm not sure if openid and profile make any sense in this context): "openid", "profile", "offline_access" I guess I need to construct the correct url to an endpoint to retrieve the refresh token? Or can I do this with the SDK like for the access token? – ManuBera Jul 25 '23 at 08:34
  • As per that link "The tokens returned are an ID token, access token, and a refresh token." So the SDK should work. – rbrayb Jul 25 '23 at 08:54
  • Yes - for reset, use another flow. – rbrayb Jul 25 '23 at 08:55
  • Thanks again! The thing is, the result object of type AuthenticationResult does not have a refresh token property and thus I wouldn't know how to get the refresh token. It seems like it won't be that easy with ROPC :( https://stackoverflow.com/questions/62560052/azure-ad-login-using-c-acquiring-refresh-token-and-access-token – ManuBera Jul 25 '23 at 12:21