MSAL4J Setup validation and "WARNING: Unsupported authority type. Please use B2C authority"

Alex 1 Reputation point
2022-07-19T13:15:56.76+00:00

I'm trying to use MSAL4J in a non-maven java web application running on tomcat.

I'm pretty sure I have my Azure AD B2C "App Registration" setup with the correct settings for "User Flow".
222236-image.png

I've been following the tutorials at:

  1. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
  2. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow

I did the "Azure AD B2C > User flows > Run User Flow" to test the flow. It shows a 'generic' login page. Then I type the email and password of a user in my AD B2C User list. Then it redirects to my application home page with a url like:
http://localhost/index?id_token=[biglongtoken]
So that all seems to be working properly (I think).

So, back to my application. in the MSAL4J Config.java file there are a few properties to define:
a) "aad.authority" = "https://login.microsoftonline.com/[tenantID]";
I've also tried:
"https://login.microsoftonline.com/common/"
"https://[tenantsubdomain].b2clogin.com/[tenantsubdomain].onmicrosoft.com/oauth2/v2.0/authorize"
I can't find clear documentation as to what this is supposed to be
In "Azure AD B2C > App Registrations > myapp > EndPoints" it says:
https://[tenantsubdomain].b2clogin.com/[tenantsubdomain].onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
But that doesn't seem to work either
b) "aad.clientId" = "[myappid]"
This is from "Azure AD B2C > App Registrations > myapp > Essentials > Application (client) ID"
c) "aad.secret" = "[secret]"
This is from "Azure AD B2C > myapp > Certificates & secrets > Value". This shows the "sZ6..." which is the hidden value.

d) "aad.scopes" = "openid"
Again, I can't find clear documentation as to what this value is supposed to be.

To run the process, I access the auth page in my application:
https://localhost/[app]/auth_sign_in
This goes to the SignInServlet.java that is provided in MSAL4J example that I downloaded.

Pretty much regardless of what I try, I get the following output:
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.AuthHelper signIn
INFO: sign-in sign-up flow init
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.AuthHelper authorize
INFO: preparing to authorize
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.AuthHelper authorize
INFO: did not find auth result in session. trying to interactively acquire token...
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.AuthHelper getConfidentialClientInstance
INFO: Getting confidential client instance
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.AuthHelper getConfidentialClientInstance
SEVERE: Failed to create Confidential Client Application.
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.SignInServlet doGet
WARNING: Unable to redirect browser to sign in endpoint
Jul 19, 2022 9:09:58 AM com.builderlynx.authentication.ms.azure.SignInServlet doGet
WARNING: Unsupported authority type. Please use B2C authority

The first few lines seem ok. The last 6 lines are the error messages.
I don't know what else to try. Searching for these error messages has not been helpful.
I would greatly appreciate any help you can provide.

Thank you very much.
Alex.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,567 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,296 Reputation points Microsoft Employee
    2022-07-20T07:36:49.823+00:00

    Hi @Alex ,

    Thanks for reaching out.

    I understand you are trying to setup up sign in for Java application using Azure AD B2C and getting error due to invalid authority value configured in your application.

    The Authority value indicates a directory that MSAL can request tokens from, and its URL differ in Azure AD and Azure AD B2C.

    The values you have configured earlier in authority are used to get token from Azure AD,

    https://login.microsoftonline.com/common/ allows to access applications for users with work and school accounts and personal Microsoft accounts or in case of multi-tenant applications where users from different organization can sign into the application request token with this URL.

    To restrict sign in users from your organization (directory), you need to restrict authority URL for your tenant only https://login.microsoftonline.com/<tenantID>

    Another URLs you are using are authorize endpoint to get the tokens which is not valid authority values.

    For B2C tenant which allow sign in users with social identities need to build around the policy (User flows or custom policy) for all Users. B2C's authority URL in MSAL also have policy name parameter which specifies the policy Azure AD B2C should use.

    https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>

    Here policyName is the name of the user flow or custom policy to apply. For example, a sign-up/sign-in policy like b2c_1_signIn
    and <tenant-name> is the name of B2C tenant.

    and these authorities need to add in knownAuthorities config parameter to trust the B2C authority.

    Reference: https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/1-Authentication/2-sign-in-b2c/SPA/src/app/auth-config.ts

    Hope this will help.

    Thanks,
    Shweta

    ------------------------

    Please remember to "Accept Answer" if answer helped you.