This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 42%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
I have an Azure AD B2C Custom Policy defined with OpenId Connect. I ahve four custom claims added in the policy and they correctly appear in the response (id_token) of the policy when tested using the B2C Custom Policy 'Run Now' menu in Azure portal.
I want to integrate this custom policy as a Federated Identity Provider in AWS Cognito User Pool. I have followed the standard process to integrate the same. When tried to test this integration through 'Hosted UI' alternative in AWS, I get an error like below - 'No access token in IdP response'. I have verified with AWS Support and various logs in AWS. In this case, AWS Cognito does receive the auth code from B2C Custom Policy, however token request does not seem to go correctly. AWS Support mentioned that this could be due to incorrect scope values defined.
For the custom policy, I am using the identity experience framework.
As part of the same, have registered 'IdentityExperienceFrameworkApp', 'ProxyIdentityExperienceFrameworkApp' and a main app 'myapp' in B2C tenant app registrations.
For 'IdentityExperienceFrameworkApp', a user_impersonation scope has been added and admin consent given. The scope value is in the format https://{mytenant}.onmicrosoft.com/{client_id for IdentityExperienceFrameworkApp}/user_impersonation. This app also has openid and offline_access api permissions.
For 'ProxyIdentityExperienceFrameworkApp', under api permissions, openid, offline_access and 'IdentityExperienceFrameworkApp's user_impersonation scope has been added. Also given admin consent for the same.
For the main app 'myapp', under api permissions, openid, offline_access and 'IdentityExperienceFrameworkApp's user_impersonation scope have been added.
Currently, I am using the below scopes when requesting from Cognito - openid profile email offline_access {myapp_client_id}
In the above scope, {myapp_client_id} is the client id for the application registered in Azure AD B2C and which is used to configure the app client in AWS Cognito.
If we look at this documentation for OpenId Connect Scopes, there are three scopes quoted -
openid - To request id_token
offline_access - To request refresh token
00000000-0000-0000-0000-000000000000 - Client Id as the scope
Can you clarify what will be this client id value to be added in the scope? Will it be same as {myapp_client_id} described above.
In the request example here, the scope parameter has a value of <application-ID-URI>/<scope-name>
Kindly help to address this issue as I am stuck with it from almost couple of weeks and need to resolve it urgently.
I am using the correct web app client id registered in B2C. Added that as the scope along with - openid email profile offline_access.
I am still ending up with the below error -
Bad+id_token+issuer+https%3A%2F%2F{mytenantname}.b2clogin.com%2F{tenant-id}%2Fv2.0&error=invalid_request
Kindly share your inputs in this regard.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Could you please share the whole request you are sending to get token.
@Shweta Mathur Unfortunately, I am unable to log the token request when its being triggered from AWS Cognito. I can share the details of configurations I have done in AWS. Here are the details of the same -
Configurations of B2C Custom Policy as a Federated Identity Provider in AWS Cognito -
Attribute mapping in Cognito -
Authorized Scopes for federated identity provider -
The clientid in the above image is the client-id for the new app registered in B2C tenant, which is also being used (along with its secret) for configuring the app client in AWS Cognito.
Attribute request method - GET
All other endpoint URL's - Issuer, Authorization, Token, UserInfo & Jwks_Uri are same as I get in the .well-known-openid-configuration for the B2C Custom Policy.
The issuer URL is of the format - https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{custom-policy-name}/v2.0
The 'Hosted UI' in AWS Cognito is being used to test this federation. In here, I am using https://jwt.ms as the 'Allowed Callback URL'.
OAuth 2.0 grant types - Authorization code grant
I have manually tried testing this flow using the endpoint URL's and trigerring them individually from Postman. All the endpoint do give me correct results.
Does the error 'Bad+id_token+issuer+https%3A%2F%2F{mytenantname}.b2clogin.com%2F{tenant-id}%2Fv2.0&error=invalid_request' have something to do with the issuer defined in the custom policy ? In my case, the custom policy has the issuer defined in the format - https://{tenantname}.b2clogin.com/{tenantid}/v2.0
This is different from the issuer url in AWS Cognito.
If you need any more inputs, do let me know.
The issuer URL is of https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{custom-policy-name}/v2.0
The above point is not correct and not the issuer URL. This needs to append with /.well-known/openid-configuration to get all the endpoints.
The issue URL of B2C tenant would be "issuer": "https://<tenant-name>.b2clogin.com/<tenant-id/v2.0/"
Could you please check from where the request has been picking wrong issuer https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{custom-policy-name}/v2.0
When I configured the issuer URL in AWS Cognito, I have used the URL - https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{custom-policy-name}/v2.0
When I use the above URL as issuer url, AWS Cognito automatically uses .well-known/openid-configuration endpoint to get all endpoints.
When I use the above custom policy .well-known/openid-configuration endpoint in browser, I get all the endpoints.
In these endpoints, the issuer is in the format - "issuer": "https://<tenant-name>.b2clogin.com/<tenant-id>/v2.0/"
Does it mean that the issuer URL should be of the format - "https://<tenant-name>.b2clogin.com/<tenant-id>/v2.0/" ? And remaining endpoints that I get from the well-known openid-configuration should be manually entered while configuring Cognito, so as to ensure Cognito uses the B2C Custom Policy that I have in B2C ?
@Anand Patil Yes your understanding is right. I have not much idea about AWS Cognito regarding how it is reading B2C endpoints. However, you can validate all your endpoints of your B2C tenant from well-known openid-configuration and provide those endpoints explicitly in configuration file to point to issuer and other URLs accordingly.
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. Thanks,
@Shweta Mathur Thanks a lot for providing valuable inputs and suggestions. This entire discussion trail did help me in resolving this issue. Correct Scope, Issuer URLs helped me do so. Also, had to turn off the Cognito's 'automated retrieval' of all endpoints from well-known-openid-configuration endpoint. Instead, provided all the URL's manually.
Thanks again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
Hi @Anand Patil , may I know what is the url pattern you were putting on the aws Cognito? Thanks
Hi @Anand Patil ,
Thanks for reaching out.
The applications you registered IdentityExperienceFrameworkApp and ProxyIdentityExperienceFrameworkApp are the basic setup for any custom policy.
To use Azure AD B2C as IDp for Amazon Congnito, you need to register one new B2C application by passing Amazon Cognito hosted UI domain name in redirect URL.
Now to add this application as open id connect IDP in user pool,
Take the client id of the above registered application with scope openid , profile.
Reference - https://dev.to/danielbayerlein/how-to-use-azure-ad-b2c-as-idp-for-amazon-cognito-28nj
Hope this will help.
Thanks,
Shweta
The client ID value that needs to be added in the scope for Azure AD B2C custom policy is the client ID of the IdentityExperienceFrameworkApp. This is the same client ID that was recorded in the earlier step. The scope value should be in the format https://{mytenant}.onmicrosoft.com/{client_id for IdentityExperienceFrameworkApp}/{scope-name}. In this case, the scope name is user_impersonation.
It is also important to ensure that the correct scope values are defined in the AWS Cognito User Pool. The scope values should include openid, profile, email, offline_access, and the user_impersonation scope.
If the issue persists, it may be helpful to check the logs in both Azure AD B2C and AWS Cognito to identify any errors or issues with the token request.
References: