Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Azure AD B2C and OpenID Connect for native application
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 98%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
Ben Napper
0
Reputation points
Hi,
I am trying to add authentication to my native mobile application using OpenID Connect protocol and my Azure AD B2C identity provider. I have followed the guide to create custom policies and added a Userinfo endpoint such that it appears in my discovery URL https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy
I have also read the information on https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
I need the login to redirect to localhost:4000 where my app will finish the process. I have added localhost:4000 to the redirect URIs for my Azure application.
My issue is when I login using the oauth2 authorize endpoint to test the process using a URL with a format:
https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?client_id=<client_id>&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A4000%2F&scope=openid&response_type=id_token&prompt=login
After login I don't receive a code - in the address bar the URL has changed to localhost:4000 (which is correct) but there is a "server_error AADB2C: An exception has occurred." message with a correlation ID of e05d852f-03a1-4ae5-ac86-d3d7bef1ac2e
What exception has occurred? Could you please assist?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Akhilesh Vallamkonda 15,350 Reputation points Moderator2024-06-19T08:15:13.97+00:00 Hi @Ben Napper
Could you please check the logs in Application Insights to get detail of error and share with us.
Also, this error might occur the client ID may be missing or incorrect in the Web.config file for the app for more info read https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/b2c/error-sign-into-appIt also, indicates that there is a mismatch between the claim type which is configured and the claim value that you are sending. You can check the claim type in the policy and confirm if they are mentioned correctly.
-
Ben Napper 0 Reputation points
2024-06-20T06:30:03.5833333+00:00 Thank you for your reply. I resolved the issue by reconfiguring two applications (one web and one for mobile) by following the guide more closely at https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-identityexperienceframework-application
Then I made sure my custom policies had a technical profile for OpenIDConnect and a UserInfoIssuer with the correct "issuer" and "audience" values.
Once I retrieved an
access_tokenfrom/oauth2/v2.0/tokenI used this in a header to make a GET request to/openid/v2.0/userinfoand this responds withobjectIdanddisplayNamekey values, but is missingemailof the user in the payload.Do you have any hints as to why email doesn't appear in the output claim of the userinfo endpoint? I have the following in my custom policy: (redacted issuer and audience)
<TechnicalProfile Id="UserInfoAuthorization"> <DisplayName>UserInfo authorization</DisplayName> <Protocol Name="None" /> <InputTokenFormat>JWT</InputTokenFormat> <Metadata> <!-- Update the Issuer and Audience below --> <!-- Audience is optional, Issuer is required--> <Item Key="issuer">https://issuer</Item> <Item Key="audience">[ "<my_client_id>" ]</Item> <Item Key="client_assertion_type">urn:ietf:params:oauth:client-assertion-type:jwt-bearer</Item> </Metadata> <CryptographicKeys> <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/> </OutputClaims> </TechnicalProfile>And specified email output claim in RelyingParty in my Signup_Signin.xml custom policy
<RelyingParty> <DefaultUserJourney ReferenceId="LogIn" /> <Endpoints> <Endpoint Id="UserInfo" UserJourneyReferenceId="UserInfoJourney" /> </Endpoints> <TechnicalProfile Id="PolicyProfile"> <DisplayName>Log In</DisplayName> <Description>Allows users to log into a client application using their password</Description> <Protocol Name="OpenIdConnect" /> <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" /> </InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" /> <OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty>
Sign in to comment
Sign in to answer