This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 76%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We are trying to get an OIDC provider to return an 'access denied' error back to an Azure AD B2C user flow when the user cancels / fails the sign in.
The Azure AD B2C documentation states that we should be able to send an error back to AADB2C during the authentication flow using the https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/authresp?error={error_code}&state={state sent in the original auth request} format.
In calling back to oauth2/authresp endpoint with an access_denied error code, AADB2C seems to choke and redirect back to the original client we're trying to sign into with the error:
AADB2C90273: An invalid response was received : 'Error: access_denied' Correlation ID: 3529ded9-1045-423b-9f0b-293b6ecf3b38 Timestamp: 2024-06-25 13:38:15Z
How should sign in fails from OIDC providers be returned to AADB2C to state the provider doesn't accept the sign in?
The documentation implies an error can be sent with a fragment: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect, where as the OIDC standards imply returning errors with query parameters. Both don't seem to work when talking to /oauth2/authresp.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @AlanStafford,
Thank you for posting your query on Microsoft Q&A.
Please refer the below doc and configure it in Redirect URI of that application.
https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
I would like to check this up offline with you to understand the scenario. Please let me know your thoughts on this. If you are available for a call kindly share me your available time, so that will create teams invite accordingly. Also, please send us an email on azcommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.
Looking forward for your reply and I hope you have a great week ahead.
Thanks,
Raja Pothuraju.
Hello @AlanStafford,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.