Hi

I'm upgrading my clients site from 10 to 13 and they have a B2C login for their members (see code bellow).

It seems that the version of Microsoft.Identity.Web (version 1.25.9) that Umbraco.Cloud.Identity.Cms is using doesn't work with MemberAuthenticationBuilder.AddMicrosoftIdentityWebApp. After I've logged in on the B2C-login page I get this error:

IDX40001: Issuer 'https://[Instance]/[TenantId]/v2.0' does not match any of the valid issuers provided for this application.

If I remove Umbraco.Cloud.Identity.Cms and only uses MicroSoft.Identity.Web 1.16.0 (that worked for Umbraco.Cloud.Identity.Cms 10) or 2.7.0 (latest stable) it works.

I found this post about that error but upgrading MicroSoft.Identity.Web to a version higher than the one that Umbraco.Cloud.Identity.Cms uses only results in crashes when the site is starting up.

Removing Umbraco.Cloud.Identity.Cms isn't really ideal either, as you can imagine.

Do anyone have any recommendation on how to move forward?

builder.AddMemberExternalLogins(logins =>{
logins.AddMemberLogin(
    membersAuthenticationBuilder =>
    {
        membersAuthenticationBuilder.AddMicrosoftIdentityWebApp(
            options =>
            {
                options.ResponseType = OpenIdConnectResponseType.Code;
                options.Instance = aadInstance;
                options.Domain = tenant;
                options.ClientId = clientId;
                options.ClientSecret = clientSecret;
                options.SignUpSignInPolicyId = signInPolicyId;
                options.CallbackPath = "/umbraco-b2c-members-signin";
                options.Events.OnTokenValidated = context =>
                {
                    var principal = context.Principal;
                    if (principal is null) throw new InvalidOperationException("No claims found.");

                    // check if email claim doesn't exist and if so, add it from upn claim type
                    if (!principal.HasClaim(x => x.Type == ClaimTypes.Email))
                    {
                        var loggedInEmail = principal.Claims.FirstOrDefault(c => c.Type.Equals("emails"))?.Value;
                        // append loggedInEmail value as a email claim to context principal
                        if (!string.IsNullOrEmpty(loggedInEmail))
                        {
                            var emailClaim = new Claim(ClaimTypes.Email, loggedInEmail);
                            var identity = (ClaimsIdentity)principal.Identity;
                            identity.AddClaim(emailClaim);
                        }
                    }

                    return Task.CompletedTask;
                };
                options.Events.OnRemoteFailure = async context =>
                {
                    var errorMessage = GetErrorMessage(context.Failure);
                    if (errorMessage.Contains("AADB2C90091"))
                    {
                        // User cancels password change gives this message
                        // AADB2C90091: The user has cancelled entering self-asserted information.
                        // This is logged as an Error by the middleware.
                        context.Response.Redirect("/");
                    }
                    else
                    {
                        //logger.Warn(typeof(AadB2CComponent), errorMessage);
                        context.Response.Redirect(string.Format("{0}?error={1}", failedPage, errorMessage));
                    }
                };
                options.Scope.Add(options.ClientId);
            }, 
            openIdConnectScheme: membersAuthenticationBuilder.SchemeForMembers(AzureB2CMembersExternalLoginProviderOptions.SchemeName));
    }); });

EDIT:

Adding this snippet seems to solve the problem, but it's not really a good idea from a security perspective so I've also raised a ticket on https://github.com/umbraco/Umbraco.Cloud.Issues/issues/734

options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false };