Azure ADB2C callback url is giving bad request of redirect from OpenID connect

Gangarde, Sachin 20 Reputation points
2024-03-01T22:52:51.67+00:00

Hi,

I have a single sign-on solution using Azure ADB2C. I use custom policies.

We have different IDPs and one of them is Auth0. We are connecting to Auth0 using OpenID Connect, but looks like we are having an issue in redirection after user login.

Below is a technical profile for Auth0 OpenId connect in Azure AD B2C custom policies.

<TechnicalProfile Id="Auth0-OID">
				<DisplayName>Auth0</DisplayName>
				<Protocol Name="OpenIdConnect" />
				<Metadata>
					<Item Key="METADATA">https://dev-domain.us.auth0.com/.well-known/openid-configuration</Item>
					<Item Key="authorization_endpoint">https://dev-domain.us.auth0.com/authorize</Item>
					<Item Key="response_types">code</Item>
					<Item Key="response_mode">form_post</Item>
					<Item Key="scope">openid email profile</Item>
					<Item Key="HttpBinding">POST</Item>
					<Item Key="UsePolicyInRedirecturi">0</Item>
					<Item Key="client_id">FqDd**********Yor1hiVlgFk</Item>
				 </Metadata>
				<CryptographicKeys>
					<Key Id="client_secret" StorageReferenceId="B2C_1A_Auth0Secret" />
				</CryptographicKeys>				 
				<OutputClaims>
					<!--<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="aud" />-->
					<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
					<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
					<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
					<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
					<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Auth0.com" AlwaysUseDefaultValue="true" />
					<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
					<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="aud" />
					<OutputClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="True" AlwaysUseDefaultValue="true"/>
				</OutputClaims>
				<OutputClaimsTransformations>
					<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
					<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
					<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
					<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
				</OutputClaimsTransformations>
				<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>

After login, it tries to redirect back to the application, but in browser, it just shows a bad request for the below return URL:

https://devdomainb2c.b2clogin.com/devdomainb2c.onmicrosoft.com/oauth2/authresp

Behind the scenes user gets logged in if I try to visit the login flow again, but it is failing on redirection. We have this callback URL added to the Auth0 application.

Below is the actual error:

User's image

What could be the reason for logging in user behind the scenes but not redirecting to the UI?

Appreciate any help.

Devdomain - is not the actual name of the domain. It is used as a placeholder here to hide actual domain.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
617 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,651 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,031 Reputation points Microsoft Employee
    2024-03-04T12:12:56.2266667+00:00

    @Gangarde, Sachin

    Thank you for posting your query on Microsoft Q&A, from above description, I could understand that you are getting "bad request" when trying to access B2C hosted app with Auth0 IDP.

    Please do correct me if this is not the case by responding in the comments section.

    For the Authorized redirect URIs, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant**.** Use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C. In all instances, replace your-tenant-name with the Directory (tenant) subdomain. For example, if your tenant primary domain is contoso.onmicrosoft.com, use contoso. If you don't have your tenant name, learn how to read your tenant details.

    • Your callback URL contains tenant name as "devdomain" however As per your domain well known open ID configuration your domain name looks to be dev-domain, kindly replace

    https://devdomainb2c.b2clogin.com/devdomainb2c.onmicrosoft.com/oauth2/authresp

    with

    https://https://dev-domainb2c.b2clogin.com/devdomainb2c.onmicrosoft.com/oauth2/authresp

    • The authorization endpoint in in metadata has been defined as 
      <Item Key="authorization_endpoint">https://dev-domain.us.auth0.com/authorize</Item>

    However as per your .well-known/openid-configuration authorization endpoint should be

    "https://dev-domain.auth0.com/authorize"

    Kindly try the suggested changes and let me know if any further inputs are needed.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik