How to diagnose "'AADB2C90289: We encountered an 'invalid_client' error connecting to the identity provider."

Adam Collings 20 Reputation points
2024-05-06T05:27:15.5766667+00:00

We have a Blazor application hosted in Azure which uses Microsoft Identity to authenticate the user.

This has worked without incident for several years.

As of last Friday night, any user trying to log into the system receives the following error after entering their login details.

“Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12] Message contains error: 'server_error', error_description: 'AADB2C90289: We encountered an 'invalid_client' error connecting to the identity provider. Please try again later.”

This is happening consistently every time.

No changes to any Azure configuration have occurred.

No code changes in our application were deployed on Friday (or since)

We are using a custom Azure AD B2C policy to support multiple Azure ADs (multi-tenant).

I have been looking through Azure portal, researching online, and speaking to a former colleague, for 7 hours but really don't know where to begin diagnosing or resolving this problem.

My best guess is that some kind of configuration (perhaps a "client secret") has expired but I'm not sure how to figure out which secret, and what to do about it.

Is anyone able to give me some guidance as to how to proceed?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,900 questions
{count} votes

Accepted answer
  1. Sina Salam 4,296 Reputation points
    2024-05-06T11:03:24.0466667+00:00

    Hello Adam Collings,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    Sequel to your questions, I understand that users of a Blazor application hosted in Azure are unable to log in due to an "invalid_client" error, which started occurring suddenly without any recent changes in code or Azure configuration. The issue persists despite several hours of troubleshooting, including examination of Azure configurations and research online.

    Scenario

    In Azure, there's a Blazor application that relies on Microsoft Identity for user authentication. However, recently users trying to log in have been faced with an "invalid_client" error. Strangely, this issue surfaced out of the blue, with no recent updates made to either the application or Azure configuration.

    Solution

    It is good to know your Blazor App has been running successfully for many years assuming up to five years, right? You can bear me witness that technology changes and especially on security patch and critical updates for better technology consumption. It might not directly come from Azure or Application; it might be from client system updates. Despite there are no changes in the code, there must have been changes on the hosting platform or at client side.

    This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement.

    First thing to do is to identify the cause by:

    Review the Azure AD B2C configuration to check for any expired or invalid credentials, such as client secrets or certificates.

    • Examine logs and error details to understand the specific nature of the "invalid_client" error.

    Using this code snippet to retrieve log from Azure AD B2C

    az monitor log-analytics query -w <workspace-name> --analytics-query "AzureDiagnostics | where Category == 'AuthenticationLogs' | where OperationName == 'Authentication' | where Status == 'Failed'"
    

    Secondly, examine logs and:

    • Navigate to Azure portal > Azure AD B2C > Diagnostic settings > Logs to access detailed logs.
    • Look for entries related to authentication attempts and any associated errors or warnings both on client and hosting sides.
    • Code Review: Pay particular attention to any code related to authentication and interaction with Azure AD B2C in your code. There might be a dependency that require update or upgrade.

    Finally

    You will need to check Client Secrets and Certificates by Navigate to Azure portal > Azure AD B2C > App registrations. Check the expiration status of any client secrets or certificates associated with the application. If expired, generate new client secrets or certificates as needed and update the application configuration accordingly.

    How you can Updating Client Secret in Blazor Application:

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options));
    services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
    {
        options.ClientSecret = "your-new-client-secret";
    });
    

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam NR.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. James Hamil 22,431 Reputation points Microsoft Employee
    2024-05-06T19:38:33.8266667+00:00

    Hi @Adam Collings , The error message "invalid_client" usually indicates that the client ID or client secret is incorrect or has expired.

    To diagnose and resolve this issue, you can try the following steps:

    1. Check the client ID and client secret in your Azure AD B2C policy. Make sure that they are correct and have not expired. You can find the client ID and client secret in the "Keys" section of your Azure AD B2C application registration.
    2. Check the expiration date of the client secret. If the client secret has expired, you will need to generate a new one and update your Azure AD B2C policy with the new value.
    3. Check the Azure AD B2C logs for more information about the error. You can find the logs in the Azure portal under "Azure AD B2C" > "Logs". Look for any errors related to the authentication process or the client ID/secret.
    4. If you are still unable to resolve the issue, you can try creating a new Azure AD B2C application registration and updating your policy to use the new client ID and secret. This will help you determine if the issue is related to the application registration or the policy configuration.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James