Skip to content

[Bug] 403 response from backend only after Azure B2C signup or password reset using MSAL in .NET MAUI #5323

Description

@agustinbishel

Library version used

4.72.1

.NET version

Client: .NET 9 (.NET MAUI) - V
Backend: .NET Framework 4.5

Scenario

PublicClient - mobile app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

We’re experiencing a consistent issue when using MSAL for authentication in a .NET MAUI 9 application (migrated from Xamarin). Users sign up or reset their password successfully through Azure AD B2C policies, the token is acquired correctly, but upon sending the request to our backend (which runs on .NET Framework 4.5), a 403 Forbidden response is returned.

Notably:
• The token appears valid (well-formed JWT, no signature or expiration issues).
• This happens only after signup or password reset flows.
Once the user logs in again (via regular signin policy), the backend accepts the token and responds normally.
• We’ve verified the audience and scopes are correct.
• We suspect some issue with claim propagation, token readiness, or cache status right after the initial acquisition.

Relevant code snippets

try
        {
            var signupResult = await _authenticationClient
                .AcquireTokenInteractive(_authenticationClientScopes)
                .WithExtraQueryParameters(GetExtraQueryParameters(isSignUp: true))
                .WithPrompt(Prompt.SelectAccount)
                .WithUseEmbeddedWebView(true)
#if ANDROID
                    .WithParentActivityOrWindow(Platform.CurrentActivity)
#endif
                .WithB2CAuthority(_authenticationClientAuthoritySignUp)
                .ExecuteAsync();

            if (signupResult != null)
            {
                userObjectId = GetObjectIdFromAccessToken(signupResult.AccessToken);
            }
        }
        catch (MsalUiRequiredException ex)
        {
            if (ex.ErrorCode != "authentication_canceled")
            {
                ErrorTrackingHelper.TrackError(ex);
            }
        }
        catch (MsalServiceException msalClientException) when
            (msalClientException.ErrorCode is MsalError.AuthenticationCanceledError ||
             msalClientException.ErrorCode is MsalError.AccessDenied)
        {
            ErrorTrackingHelper.TrackError(msalClientException);
        }
        catch (MsalClientException msalClientException) when
            (msalClientException.ErrorCode is MsalError.AuthenticationCanceledError ||
             msalClientException.ErrorCode is MsalError.AccessDenied)
        {
            ErrorTrackingHelper.TrackError(msalClientException);
        }

Expected behavior

After completing the sign-up or password reset flow via Azure AD B2C using MSAL in a .NET MAUI mobile app, the acquired access token should be immediately valid and usable for authenticated requests to our backend (in .NET Framework 4.5), without receiving a 403 Forbidden response.

The backend should accept the token the same way it does after a regular sign-in, without requiring a manual re-authentication or token refresh.

Identity provider

Azure B2C Custom Policy

Regression

No response

Solution and workarounds

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions