The issue you're encountering with Azure B2C Custom Policy, specifically the Web.TPEngine.Providers.RestfulProviderRestfulProvider
error, seems to be related to SSL/TLS secure channel trust relationships. The error messages you've encountered, "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel" and "The remote certificate is invalid according to the validation procedure", suggest that there's a problem with the SSL/TLS certificate of your HTTPS MicroService.
Azure Active Directory B2C (Azure AD B2C) supports integrating your own RESTful service by sending data to the RESTful service in an input claims collection and receiving data back in an output claims collection (https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile). The RestfulProvider
in Azure AD B2C requires the endpoints to be published to a publicly-accessible HTTPS URI. Before a secure connection is established, the protocol and cipher are negotiated based on the capabilities of Azure AD B2C and the endpoint (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements).
To address the SSL/TLS issue, ensure that your endpoint supports secure communication over TLS version 1.2, as older versions (1.0 and 1.1) are deprecated. Additionally, your endpoint must support at least one of the specified cipher suites, which are sets of cryptographic algorithms essential for secure communication over HTTPS (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements#:~:text=,1%20are%20deprecated - https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements).
You should perform a test using a TLS cipher and scanner tool to verify that your endpoints comply with these requirements. You can use tools like SSLLABS to test your endpoint (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements). This verification is crucial to ensure that Azure AD B2C can establish a trusted connection with your RESTful service.
Additionally, consider the type of authentication your RESTful claims provider is performing. The possible values are None
, Basic
, Bearer
, ClientCertificate
, or ApiKeyHeader
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile If you are not sending any certificates while calling the REST service, you might want to explore the ClientCertificate
option, which indicates that the REST API restricts access using client certificate authentication, allowing only services with the appropriate certificates, such as Azure AD B2C, to access your API.
Remember to also configure error handling appropriately in your custom policy to manage different types of REST API failures effectively (https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile).
Accept the answer if the information helped you. This will help us and others in the community as well.