Library version used
4.72.1
.NET version
Client: .NET 9 (.NET MAUI) - V
Backend: .NET Framework 4.5
Scenario
PublicClient - mobile app
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
We’re experiencing a consistent issue when using MSAL for authentication in a .NET MAUI 9 application (migrated from Xamarin). Users sign up or reset their password successfully through Azure AD B2C policies, the token is acquired correctly, but upon sending the request to our backend (which runs on .NET Framework 4.5), a 403 Forbidden response is returned.
Notably:
• The token appears valid (well-formed JWT, no signature or expiration issues).
• This happens only after signup or password reset flows.
• Once the user logs in again (via regular signin policy), the backend accepts the token and responds normally.
• We’ve verified the audience and scopes are correct.
• We suspect some issue with claim propagation, token readiness, or cache status right after the initial acquisition.
Relevant code snippets
try
{
var signupResult = await _authenticationClient
.AcquireTokenInteractive(_authenticationClientScopes)
.WithExtraQueryParameters(GetExtraQueryParameters(isSignUp: true))
.WithPrompt(Prompt.SelectAccount)
.WithUseEmbeddedWebView(true)
#if ANDROID
.WithParentActivityOrWindow(Platform.CurrentActivity)
#endif
.WithB2CAuthority(_authenticationClientAuthoritySignUp)
.ExecuteAsync();
if (signupResult != null)
{
userObjectId = GetObjectIdFromAccessToken(signupResult.AccessToken);
}
}
catch (MsalUiRequiredException ex)
{
if (ex.ErrorCode != "authentication_canceled")
{
ErrorTrackingHelper.TrackError(ex);
}
}
catch (MsalServiceException msalClientException) when
(msalClientException.ErrorCode is MsalError.AuthenticationCanceledError ||
msalClientException.ErrorCode is MsalError.AccessDenied)
{
ErrorTrackingHelper.TrackError(msalClientException);
}
catch (MsalClientException msalClientException) when
(msalClientException.ErrorCode is MsalError.AuthenticationCanceledError ||
msalClientException.ErrorCode is MsalError.AccessDenied)
{
ErrorTrackingHelper.TrackError(msalClientException);
}
Expected behavior
After completing the sign-up or password reset flow via Azure AD B2C using MSAL in a .NET MAUI mobile app, the acquired access token should be immediately valid and usable for authenticated requests to our backend (in .NET Framework 4.5), without receiving a 403 Forbidden response.
The backend should accept the token the same way it does after a regular sign-in, without requiring a manual re-authentication or token refresh.
Identity provider
Azure B2C Custom Policy
Regression
No response
Solution and workarounds
No response
Library version used
4.72.1
.NET version
Client: .NET 9 (.NET MAUI) - V
Backend: .NET Framework 4.5
Scenario
PublicClient - mobile app
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
We’re experiencing a consistent issue when using MSAL for authentication in a .NET MAUI 9 application (migrated from Xamarin). Users sign up or reset their password successfully through Azure AD B2C policies, the token is acquired correctly, but upon sending the request to our backend (which runs on .NET Framework 4.5), a 403 Forbidden response is returned.
Notably:
• The token appears valid (well-formed JWT, no signature or expiration issues).
• This happens only after signup or password reset flows.
• Once the user logs in again (via regular signin policy), the backend accepts the token and responds normally.
• We’ve verified the audience and scopes are correct.
• We suspect some issue with claim propagation, token readiness, or cache status right after the initial acquisition.
Relevant code snippets
Expected behavior
After completing the sign-up or password reset flow via Azure AD B2C using MSAL in a .NET MAUI mobile app, the acquired access token should be immediately valid and usable for authenticated requests to our backend (in .NET Framework 4.5), without receiving a 403 Forbidden response.
The backend should accept the token the same way it does after a regular sign-in, without requiring a manual re-authentication or token refresh.
Identity provider
Azure B2C Custom Policy
Regression
No response
Solution and workarounds
No response