Share via

Userinfo endpoint test

Carlos Barragan 26 Reputation points
2021-01-19T03:46:09.59+00:00

Hi,

I did the configurations in the document https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy.
When I get to the testing part and I use Postman I get an 401 Unauthorised. So, I cannot test my endpoint. I'm trying to use it with Salesforce as SP. In salesforce after introducing the username and password I get the error "We can’t log you in because of an authentication error.".

Does any know what's happening and to test the endpoint?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhushan Gawale 331 Reputation points
    2022-03-29T10:33:08.927+00:00

    Has anyone managed to resolve this? Facing similar error in one of the Azure AD B2C environment where UserInfo endpoint continues to throw 401 Unauthorized error even after presenting a valid access token to it.

    Must admit that there is huge scope of improvement when it comes to overall documentation of Azure AD B2C specifically around custom policies (which is not a very user friendly way to customize user journeys and experience) and also a lot of third party integrations where B2C could act as IDP e.g. Salesforce. If something can be done to make UserInfo endpoint available natively in B2C it would resolve half of the issues associated getting UserInfo endpoint working for AAD B2C.

    Any input on original issue would be appreciated. Thanks!

    1 person found this answer helpful.
    0 comments
  2. Suresh Babu 1 Reputation point
    2021-04-16T13:39:08.723+00:00

    @Carlos Barragan , did you managed to get this solved? i have been having very hard time getting this work with salesforce as SP and B2C as IDP. Can you pls let me know if you managed to get that working?

    0 comments
  3. Sanal Somasundaran 11 Reputation points
    2023-07-07T09:29:51.9566667+00:00

    We were having the same issue with user info-endpoint. It turned out that the issuer Item under TechnicalProfile Id="UserInfoAuthorization" was not matching with the iss claim in the token due to a case mismatch

    We figured it out after looking into ApplicationInsights Traces for Azure B2C. The only difference was in the issuer URL where the case was different. In token, the iss claim is always in lowercase. So this could be one reason why we could get a 401 error even when the token is valid.
    Another reason could be a mismatch in Audience (Item Key="audience") value. Since its optional, we haven't restricted it to a particular clientId. If it is set when we can use user info endpoint only for those specific endpoints.

    Example:

    The technical profile here has an issuer in mixed case.

     <TechnicalProfile Id="UserInfoAuthorization">
        <DisplayName>UserInfo authorization</DisplayName>
        <Protocol Name="None" />
        <InputTokenFormat>JWT</InputTokenFormat>
        <Metadata>
          <!-- Update the Issuer and Audience below -->
          <!-- Audience is optional, Issuer is required-->
          <Item Key="issuer">https://SampleB2CTenant.b2clogin.com/11111111-1111-1111-1111-111111111111/v2.0/</Item>
          <!-- <Item Key="audience">[ "22222222-2222-2222-2222-222222222222", "33333333-3333-3333-3333-333333333333" ]</Item> -->
          <Item Key="client_assertion_type">urn:ietf:params:oauth:client-assertion-type:jwt-bearer</Item>
        </Metadata>
        <CryptographicKeys>
          <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        </CryptographicKeys>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
          <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
          <!-- Optional claims to read from the access token. -->
          <!-- <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
             <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
             <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/> -->
        </OutputClaims>
      </TechnicalProfile>

    JWT Token

    In the token the iss claim has the value as lowercase always.

    {
  "ver": "1.0",
  "iss": "https://sampleb2ctenant.b2clogin.com/11111111-1111-1111-1111-111111111111/v2.0/",
  "sub": "baee575c-0936-4afa-9fb4-92198c6ab2b2",
  "aud": "4dc1e1f8-e42d-46df-a73f-ddca5616658d",
  "exp": 1688725206,
  "iat": 1688721606,
  "auth_time": 1688721596,
  "email": "******@email.com",
  "name": "test user",
  "given_name": "test",
  "family_name": "user",
  "tid": "11111111-1111-1111-1111-111111111111"
  "buildId": "20230621.1_Release-191",
  "tfp": "B2C_1A_HRDSignIn_v2",
  "nbf": 1688721606
}

    Hence, the token validation fails due to issuer mismatch

     "Exception": {
            "Kind": "Handled",
            "HResult": "80131500",
            "Message": "IDX10205: Issuer validation failed. Issuer: 'https://sampleb2ctenant.b2clogin.com/11111111-1111-1111-1111-111111111111/v2.0/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://SampleB2CTenant.b2clogin.com/11111111-1111-1111-1111-111111111111/v2.0/' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'Null'. For more details, see https://aka.ms/IdentityModel/issuer-validation. ",
            "Data": {}
          }
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.