Azure B2C Custom Policy: Rest Api Error

lokesh kumar 0 Reputation points
2023-11-17T09:27:24.5266667+00:00

Currently, using the Web.TPEngine.Providers.RestfulProviderRestfulProvider to call an HTTPS MicroService.

I am not sending any certificates while calling the rest service.

"Exception": {

        "Kind": "Handled",

        "HResult": "80131509",

        "Message": "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",

        "Data": {},

        "Exception": {

          "Kind": "Handled",

          "HResult": "80131501",

          "Message": "The remote certificate is invalid according to the validation procedure.",

          "Data": {}

        }

Please help with this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,273 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 17,871 Reputation points
    2023-11-17T12:10:20.7966667+00:00

    The issue you're encountering with Azure B2C Custom Policy, specifically the Web.TPEngine.Providers.RestfulProviderRestfulProvider error, seems to be related to SSL/TLS secure channel trust relationships. The error messages you've encountered, "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel" and "The remote certificate is invalid according to the validation procedure", suggest that there's a problem with the SSL/TLS certificate of your HTTPS MicroService.

    Azure Active Directory B2C (Azure AD B2C) supports integrating your own RESTful service by sending data to the RESTful service in an input claims collection and receiving data back in an output claims collection (https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile). The RestfulProvider in Azure AD B2C requires the endpoints to be published to a publicly-accessible HTTPS URI. Before a secure connection is established, the protocol and cipher are negotiated based on the capabilities of Azure AD B2C and the endpoint (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements).

    To address the SSL/TLS issue, ensure that your endpoint supports secure communication over TLS version 1.2, as older versions (1.0 and 1.1) are deprecated. Additionally, your endpoint must support at least one of the specified cipher suites, which are sets of cryptographic algorithms essential for secure communication over HTTPS (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements#:~:text=,1%20are%20deprecated - https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements).

    You should perform a test using a TLS cipher and scanner tool to verify that your endpoints comply with these requirements. You can use tools like SSLLABS to test your endpoint (https://learn.microsoft.com/EN-US/azure/active-directory-b2c/https-cipher-tls-requirements). This verification is crucial to ensure that Azure AD B2C can establish a trusted connection with your RESTful service.

    Additionally, consider the type of authentication your RESTful claims provider is performing. The possible values are None, Basic, Bearer, ClientCertificate, or ApiKeyHeader https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile If you are not sending any certificates while calling the REST service, you might want to explore the ClientCertificate option, which indicates that the REST API restricts access using client certificate authentication, allowing only services with the appropriate certificates, such as Azure AD B2C, to access your API.

    Remember to also configure error handling appropriately in your custom policy to manage different types of REST API failures effectively (https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile).

    Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.