How do customize the AD B2C error AADB2C90208 (The provided id_token_hint parameter is expired. Please provide another token and try again.) in a custom user flow?

Luka Gospodnetić 5 Reputation points
2023-02-27T11:03:12.77+00:00

As part of our custom user registration flow in AD B2C we send a registration link to the user. If the registratin token expires, we would like to add the users e-mail address to the redirect link.

User clicks on the following link:

`https://.../

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2023-03-01T09:45:51.5266667+00:00

    @Luka Gospodnetić

    Thank you for posting your query on Microsoft Q&A. From the above description I am finding it hard to get the objective. Kindly confirm if you are looking for either of there:

    • Customize the error AADB2C90208 in Azure B2C user flow?
    • Customize the error AADB2C90208 in Azure B2C custom policies?
    • To add the users e-mail address to the redirect link? This could be done only via login hint, as below

    *User's image

    *

    For a custom policy, if you add the "login_hint" query string parameter to the OpenID Connect authentication request, then you can default the login field to this login hint by adding the "DefaultValue" attribute to the "signInName" input claim for the "SelfAsserted-LocalAccountSignin-Email" technical profile as follows:

    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <DisplayName>Local Account Signin</DisplayName>
      ...
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        ...
      </OutputClaims>
      ...
    </TechnicalProfile>
    

    The "DefaultValue" attribute references a claims resolver that sets the "signInName" claim type to the "login_hint" parameter of the OpenID Connect authentication request.

    See the Set up direct sign-in using Azure Active Directory B2C article for more information about passing the "login_hint" query string parameter.

    Currently it is not possible to customize this error or response URI. You may go ahead and let the product team know about your requirement posting and idea in the Azure Feedback Forums..

    We noticed your feedback that the answer on this thread was not helpful. If the above suggestion does answer your primary query of customization, I would recommend to retake the feedback (Yes/No), as this would help our community members who have similar issue.

    Please do let me know if you have any further queries in the comments section.

    Thanks,

    Akshay Kaushik