ERROR Account username: Missing from the token response environment login.microsoftonline.com home account id: AccountId: XXXX about active-directory-b2c-dotnetcore-webapp HOT 8 CLOSED

@mamood What you found is correct.
This is a known issue w/B2C. The reason is because B2C does not return a value in the IdToken for preferred username because of the limitations with the social accounts. For example, AAD does return a value here because it knows who the user is, but for b2c, because the user can sign in with a local account, FB, Github, etc...there is not a consistent value for them to use for preferred username. Also, some social accounts (like Github) don't require email. So...to unblock MSAL from rolling out cache compatibility with ADAL, we decided to use "Missing from the token response" on our end when dealing with the B2C accounts.
You can, however, use the "name" claim as the preferred username. I believe you can add that in the policy. If you need more information on this, let me know and I'll sync w/B2C. It's generally mentioned in this B2C doc -> "In the Return claim column, choose claims you want returned in the authorization tokens sent back to your application after a successful profile editing experience. For example, select Display Name, Postal Code.”

closing, as this is by design currently, but please tag me if you need more guidance on this.

from active-directory-b2c-dotnetcore-webapp.

@jennyf19 Can you please explain the steps to fix the issue. somehow I am not able to do the above-mentioned step to fix the issue.

from active-directory-b2c-dotnetcore-webapp.

@tarun00197 what are you trying to do?

from active-directory-b2c-dotnetcore-webapp.

Hi jennyf19, I am also trying to get this message not to display. I've been through the articles and I must be missing something. Please could you point me in the direction of a step by step process to get the 'user' or simply clear the message. I've been though the "articleB2C doc" and cant find the solution.

from active-directory-b2c-dotnetcore-webapp.

@ryanglenn79 @tarun00197
Not sure if this will help.
In the portal, under the policy you want to target, go to Application Claims blade and make sure Display Name is enabled:

When i have this enabled, in the AuthResult, in the idToken, you'll see the name value:

If not, you won't see it:

You can parse the idToken to get the claims. You can do something like this:

private void DisplayUserInfo(AuthenticationResult authResult)
{
            TokenInfoText.Text = "";
            if (authResult != null)
            {
                JObject user = ParseIdToken(authResult.IdToken);

                TokenInfoText.Text += $"Name: {user["name"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"User Identifier: {user["oid"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"Street Address: {user["streetAddress"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"City: {user["city"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"State: {user["state"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"Country: {user["country"]?.ToString()}" + Environment.NewLine;
                TokenInfoText.Text += $"Job Title: {user["jobTitle"]?.ToString()}" + Environment.NewLine;

                if (user["emails"] is JArray emails)
                {
                    TokenInfoText.Text += $"Emails: {emails[0].ToString()}" + Environment.NewLine;
                }
                TokenInfoText.Text += $"Identity Provider: {user["iss"]?.ToString()}" + Environment.NewLine;
            }
}

from active-directory-b2c-dotnetcore-webapp.

Hi Jenny
Thank you for answering. I have everything already setup as you suggest, and I am receiving "Display Name", however I am still receiving "Account username: Missing from the token response environment"

When executing

IEnumerable<IAccount> accounts = await PCA.GetAccountsAsync();

The this displays in the email field for logging in.

from active-directory-b2c-dotnetcore-webapp.

@jennyf19

I am getting the same behavior when calling PCA.GetAccountsAsync() from MSAL .net library. I see in the token that the name property is coming down properly from azure when decoding the token but it doesn't appear to get set on the Account object for the token cache. According to https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-aad-b2c-considerations

I believe you mentioned this in above post..

Mitigation for "Missing from the token response"
One option is to use the "name" claim as the preferred username. The process is mentioned in this B2C doc -> "In the Return claim column, choose the claims you want returned in the authorization tokens sent back to your application after a successful profile editing experience. For example, select Display Name, Postal Code.”

I tried following the reference mentioned above to https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview but I don't see any mention of the process mentioned above.

I have tried to adding all the application claims that you have shown in your screenshot and still am not getting the username field to populate on the Account object when calling PCA.GetAccountsAsync().

You aren't using that in your example and instead are parsing the token for the claims which is working but that doesn't seem like it would work with the token cache in the MSAL library without getting a username when using local accounts.

I could be misunderstanding something but above are the steps I have taken to try and resolve. I can see a work around by maybe using the oid or sub claim and after acquiring the token and sending to client the first time it can get sent back up in the token and parsed to filter the MSAL Accounts object by oid for token cache account filtering. It would be nice to be able to use the name claim but MSAL doesn't seem to properly work with it. Does that sound correct?

from active-directory-b2c-dotnetcore-webapp.

@ryanglenn79 @chris-skuvault Including "name" back in the claims has no impact on the MSAL cache. It will be included in the id_token, so you can filter there and display the user name if you want. You won't be able to get the name from the Account object. Sorry that was not clear.

There is only one cache per user, but each user will have multiple accounts or tokens in the cache, as each B2C policy is a separate IdP, so that's why you have to filter by policy.

from active-directory-b2c-dotnetcore-webapp.