azure adb2c does not handle oauth2 error code "access_denied" correctly

Hector Meneses @ BMG 25 Reputation points
2024-01-17T21:41:48.4133333+00:00

Hi, I'm using azure ADB2C with identity server 4 as the generic oidc provider and Msal LoginMode = popup.

When a user tries to login, but hits cancel in the popup Account/Login page from identity server, the user is returned to a "redirect" version of the same Account/Login page. If then the user clicks again the cancel button, the user is redirected back to my application with the following error:

There was an error trying to log you in: 'AADB2C90273: An invalid response was received : 'Error: access_denied' CorrelationId: blah blah

Instead of the above, I would have expected for the user to be redirected back to my application and display the /authentication/login-failed message: There was an error trying to log you in: 'User cancelled the flow.'

I can achieve the above by closing the popup login window, but I would also want to be able to see this when the user clicks the cancel button. Looking at the oauth2 error codes (https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2.1 ), it looks like identity server is correctly using "access_denied" as the return error.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,031 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,252 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2024-01-19T01:36:57.73+00:00

    Hi Hector Meneses @ BMG ,

    Thanks for your post! To redirect a user back to the application after selecting the "Cancel button", you will either need to catch the error message or hide the Cancel button via JavaScript/CSS. You could replace it with a button that sends the user back.

    When you call a sign-in policy, the redirect URI will be included in the URL. After you click the Cancel button, the user will be redirected to the URL you added.

    You need to catch the error and redirect the user where you want. The error is handled by the application based on the code sent back. For example,

     if (notification.Exception.Message == "access_denied")  
                {  
                    notification.Response.Redirect("/");  
                }  
    

    There are several code examples shared in this thread, including an msal-react example.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.