I'm working on a Web API (ASP.Net, C#, Entity Framework) and I can't get user password reset and refresh tokens working. I have tried so many things and my boss is getting a bit nervous since I don't have any progress to show.
The important bit is that I have to use the ROPC flow because it is the only flow I can use without any browser-interaction. The goal is to have everything in my own client application, registration, sign-in/out and password reset.
Atm a registered user can sign in via an endpoint of my API. The sign-in code looks like the following:
IPublicClientApplication app = PublicClientApplicationBuilder.Create(_clientId)
.WithB2CAuthority(_authority)
.Build();
AuthenticationResult result = await app.AcquireTokenByUsernamePassword(_scopesRequiredByAPI,
credentials.Email,
credentials.Pwd).ExecuteAsync();
The result object I get in return does not include a refresh token and I don't understand where I can get one.
The other problem I have is password reset. How can a user reset their own password without any browser interaction? Is that not possible with the ROPC flow?
I'm very thankful for tips, suggestions and ideas.
As per this:
When using the ROPC flow, consider the following:
ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).
ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.
Session Management, including keep me signed-in (KMSI), isn't applicable.
It does support refresh tokens. Are you using the offline_access scope?