Invalid_Grant AADB2C90085 error while using B2C Custom Policy with Google, FB and Azure AD as IdP

Question

Invalid_Grant AADB2C90085 error while using B2C Custom Policy with Google, FB and Azure AD as IdP

Anand Patil 95

I have an Azure AD B2C Custom Policy defined in my B2C tenant. There are three identity providers configured in the same - Google, Facebook and Azure AD. The custom policy also has four custom attributes which are populated using a rest api endpoint configured in the policy itself. Verified that this setup works fine using jwt.ms.

My main web application is hosted in AWS and has a cloudfront url. This application uses Cognito user pool, and cognito is configured to make use of the above B2C Custom Policy as a federated identity provider. The 'Allowed callback URL' setting for the cognito user pool is the cloudfront url my web application. (https://mycloudfronturl.cloudfront.net/redirectapp)

Redirect uri configured in Azure AD B2C is the AWS Cognito domain url appended with /oauth2/idpresponse. (https://myuserpool.auth.ap-south-1.amazoncognito.com/oauth2/idpresponse)

When I try to do an end-to-end test for this setup, it seems the authentication goes fine, however when the user is redirected to my web application's cloudfront url, I see errors in console which says -
{Federated Identity provider name in AWS Cognito user pool}+Error+-+400+invalid_grant+AADB2C90085:+The+service+has+encountered+an+internal+error.+Please+reauthenticate+and+try+again.

The redirect url's have been double checked and they are correct.

What will be the root cause of this issue and how do I get it resolved quickly ?

Any quick pointers are highly appreciated.

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-10-10T08:22:26.4533333+00:00

@Anand Patil Did you get a chance to validate your application configuration?
Anand Patil 95 Reputation points

2024-10-11T14:20:07.6933333+00:00

@Shweta Mathur I did verify the configurations. Both at Azure end as well as in AWS. No changes observed. Tried testing with jwt.ms and that seems to work. However, when I redirect to my application's cloudfront url, back to same invalid_grant error. :(
Anand Patil 95 Reputation points

2024-10-11T15:09:02.45+00:00
@Shweta Mathur Here is a brief of what I am trying to achieve. I have direct SSO integration for one of my apps - 'App A'. Now I have to integrate another 'App B' in my ecosystem. Link to this 'App B' will be from 'App A'. So I am trying to have SSO in place for 'App B'. My 'App B' is hosted in AWS.

I have two types of users - Admin & Custom. Admin users are using Azure AD as the identity provider, while Custom users make use of Google and Facebook as the identity provider.

So, I have created an Azure AD B2C Custom Policy with configurations for all the three identity providers. And tested the same with jwt.ms as redirect url and seems it is working fine.

In Azure AD B2C, I have registered my app and redirect URI's for the same are - jwt.ms & AWS Cognito domain url + '/oauth2/idpresponse'

In AWS Cognito user pool, I have added the B2C Custom Policy as the federated identity provider. The allowed callback url for the registered cognito pool app is the cloudfront url for 'App B'.

I need to have a redirect url to be put in 'App A' so that user after logging in to 'App A' can be seamlessly redirected to 'App B'. I have used this redirect url in 'App A' - Cognito user pool domain URL +'oauth2/authorize?response_type=code&client_id={AWS-Cognito-App-Id}&redirect_uri={App B Cloudfront url}&scope=openid&identity_provider={FederatedIdP name in AWS Cognito}'

Kindly let me know if I am doing any incorrect configurations here.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-10-14T06:02:37.0166667+00:00

@Anand Patil

The scenario seems to be valid. As per your validation, it seems to be URL issue only rather than other configuration issue.

Also, could you please confirm that B2C policy has exact same URL configured as in AWS Cognito user pool.

Additionally, you should check that the CloudFront URL for 'App B' is correctly configured in your AWS Cognito user pool as the allowed callback URL for the registered Cognito pool app.

In case the above does not work for you, please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:shweta" and I will help you with alternative support options to troubleshoot this further.

Thanks,

Shweta

2 answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-10-10T08:22:26.4533333+00:00

@Anand Patil Did you get a chance to validate your application configuration?
Anand Patil 95 Reputation points

2024-10-11T14:20:07.6933333+00:00

@Shweta Mathur I did verify the configurations. Both at Azure end as well as in AWS. No changes observed. Tried testing with jwt.ms and that seems to work. However, when I redirect to my application's cloudfront url, back to same invalid_grant error. :(
Anand Patil 95 Reputation points

2024-10-11T15:09:02.45+00:00

@Shweta Mathur Here is a brief of what I am trying to achieve. I have direct SSO integration for one of my apps - 'App A'. Now I have to integrate another 'App B' in my ecosystem. Link to this 'App B' will be from 'App A'. So I am trying to have SSO in place for 'App B'. My 'App B' is hosted in AWS.

I have two types of users - Admin & Custom. Admin users are using Azure AD as the identity provider, while Custom users make use of Google and Facebook as the identity provider.

So, I have created an Azure AD B2C Custom Policy with configurations for all the three identity providers. And tested the same with jwt.ms as redirect url and seems it is working fine.

In Azure AD B2C, I have registered my app and redirect URI's for the same are - jwt.ms & AWS Cognito domain url + '/oauth2/idpresponse'

In AWS Cognito user pool, I have added the B2C Custom Policy as the federated identity provider. The allowed callback url for the registered cognito pool app is the cloudfront url for 'App B'.

I need to have a redirect url to be put in 'App A' so that user after logging in to 'App A' can be seamlessly redirected to 'App B'. I have used this redirect url in 'App A' - Cognito user pool domain URL +'oauth2/authorize?response_type=code&client_id={AWS-Cognito-App-Id}&redirect_uri={App B Cloudfront url}&scope=openid&identity_provider={FederatedIdP name in AWS Cognito}'

Kindly let me know if I am doing any incorrect configurations here.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-10-14T06:02:37.0166667+00:00

@Anand Patil

The scenario seems to be valid. As per your validation, it seems to be URL issue only rather than other configuration issue.

Also, could you please confirm that B2C policy has exact same URL configured as in AWS Cognito user pool.

Additionally, you should check that the CloudFront URL for 'App B' is correctly configured in your AWS Cognito user pool as the allowed callback URL for the registered Cognito pool app.

In case the above does not work for you, please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:shweta" and I will help you with alternative support options to troubleshoot this further.

Thanks,

Shweta

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Anand Patil ,

Thank you for reaching out.

In reference to our previous discussion (https://learn.microsoft.com/en-us/answers/questions/1792571/azure-ad-b2c-custom-policy-as-a-federated-identity), you were able to resolve the 400 Bad Request error by making the necessary configuration adjustments.

At that time, the only variation in the configuration was that you were using https://jwt.ms as the Allowed Callback URL.

The new callback URL should not impact the authentication process. However

1.Ensure that the Redirect URI in Azure AD B2C (configured in your custom policy) exactly matches the Cognito callback URL: https://myuserpool.auth.ap-south-1.amazoncognito.com/oauth2/idpresponse.

Ensure that the Allowed Callback URL in AWS Cognito matches the URL of your CloudFront distribution where the app is hosted: https://mycloudfronturl.cloudfront.net/redirectapp.

Sometimes, even small differences in case, trailing slashes, or URL encoding can lead to mismatches. Double-check that they match exactly.

Could you also confirm if the setup is still working with jwt.ms and only encountering errors with the CloudFront URL?

Hope this will help.

Thanks,

Shweta

Anand Patil 95 Reputation points

2024-10-08T13:52:02.1566667+00:00

Hi @Shweta Mathur ,

I have verified redirect uri's in B2C as well as the allowed redirect url's in Cognito too.

There is no change in them, apart from changing the jwt.ms to my cloud front url.

Still fails.

Unfortunately, when I am now trying using the jwt.ms url, even then I get a failure. :(

Error is same - {Federated Identity provider name in AWS Cognito user pool}+Error+-+400+invalid_grant+AADB2C90085:+The+service+has+encountered+an+internal+error.+Please+reauthenticate+and+try+again.

Regards,

Anand Patil
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-10-09T04:48:01.6933333+00:00

Anand Patil Please review all the configurations again based on our previous discussion. There may have been changes in other settings that could be causing the issue.

Share via

Invalid_Grant AADB2C90085 error while using B2C Custom Policy with Google, FB and Azure AD as IdP

2 answers

Your answer