Azure AD B2C does not pass an identity provider refresh token to my application

mihael.safaric 1 Reputation point


I'm trying to set up Azure Active Directory B2C to use an existing external identity provider. For that purpose, I configured a custom identity provider through a custom policy which uses a hybrid authentication flow (code id_token).

Additionaly, I want to pass an OIDC identity provider access token and refresh token to my application. My technical profile in the custom policy looks like:

<TechnicalProfile Id="Custom-OpenIdConnect">
  <Protocol Name="OpenIdConnect" />
    <Item Key="METADATA">URL</Item>
    <Item Key="response_types">code id_token</Item>
    <Item Key="response_mode">form_post</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="client_id">CLIENT_ID</Item>
    <Key Id="client_secret" StorageReferenceId="CLIENT_SECRET" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
    <OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}" />

A JWT token passed to the application contains an access token but does not contain a refresh token. The external identity provider returns both tokens (access token and refresh_token) but for some reason it appears that {oauth2:refresh_token} is not set.

Can someone point me in the right direction as I cannot figure out why the refresh token is not set?


Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points

    Hi @mihael.safaric · Thank you for reaching out.

    The {oauth2:refresh_token} parameter requires the technical profile to be using Protocol Name="OAuth2" instead of Protocol Name="OpenIdConnect" that you have specified in your technical profile.

    For more information, please refer to the answers on below threads:


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. mihael.safaric 1 Reputation point

    Hi @mihael.safaric · Yes, OAuth2 Technical Profile supports setting the response_types attribute. I have working examples with code and token but not id_token. Although, it should work but please give it a try and let me know if it works. I will then raise a PR to update the doc: with this information.

    @AmanpreetSingh-MSFT thank you for the response.

    I switched the technical profile from OIDC to OAuth2 as you suggested.
    Everything works as expected when passing response_types=code and I'm able to retrieve the refresh token as well.

    But once I change response_types to response_types=code id_token, I get 404 when my external idp redirects back to the Azure web app.

    The redirect uri which throws 404 looks like https://{tenant-name}{tenant-name}

    The technical profile:

    <TechnicalProfile Id="External-oauth2">  
      <Protocol Name="OAuth2" />  
        <Item Key="response_types">code id_token</Item>  
        <Item Key="response_mode">form_post</Item>  
        <Item Key="scope">openid profile</Item>  
        <Item Key="UsePolicyInRedirectUri">false</Item>  
        <Item Key="HttpBinding">POST</Item>  
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>  
        <Item Key="authorization_endpoint">AUTH_ENDPOINT</Item>  
        <Item Key="AccessTokenEndpoint">ACCESS_TOKEN_ENDPOINT</Item>  
        <Item Key="ClaimsEndpoint">CLAIMS_ENDPOINT</Item>  
        <Item Key="client_id">CLIENT_ID</Item>  
    0 comments No comments