This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 30%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi,
I'm trying to set up Azure Active Directory B2C to use an existing external identity provider. For that purpose, I configured a custom identity provider through a custom policy which uses a hybrid authentication flow (code id_token).
Additionaly, I want to pass an OIDC identity provider access token and refresh token to my application. My technical profile in the custom policy looks like:
<TechnicalProfile Id="Custom-OpenIdConnect">
<DisplayName>Custom</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">URL</Item>
<Item Key="response_types">code id_token</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">CLIENT_ID</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="CLIENT_SECRET" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
<OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}" />
</OutputClaims>
</TechnicalProfile>
A JWT token passed to the application contains an access token but does not contain a refresh token. The external identity provider returns both tokens (access token and refresh_token) but for some reason it appears that {oauth2:refresh_token} is not set.
Can someone point me in the right direction as I cannot figure out why the refresh token is not set?
Thanks,
Mihael
Hi @mihael.safaric · Thank you for reaching out.
The {oauth2:refresh_token} parameter requires the technical profile to be using Protocol Name="OAuth2" instead of Protocol Name="OpenIdConnect" that you have specified in your technical profile.
For more information, please refer to the answers on below threads:
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@AmanpreetSingh-MSFT thank you for the answer.
My external identity provider uses a hybrid authentication flow so I have to set the response_types attribute to code id_token.
Does OAuth2 support setting the response_types attribute?
I don't see that option in the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile
Hi @mihael.safaric · Yes, OAuth2 Technical Profile supports setting the response_types attribute. I have working examples with code and token but not id_token. Although, it should work but please give it a try and let me know if it works. I will then raise a PR to update the doc: https://learn.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile with this information.
Hi @mihael.safaric · Yes, OAuth2 Technical Profile supports setting the response_types attribute. I have working examples with code and token but not id_token. Although, it should work but please give it a try and let me know if it works. I will then raise a PR to update the doc: https://learn.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile with this information.
@AmanpreetSingh-MSFT thank you for the response.
I switched the technical profile from OIDC to OAuth2 as you suggested.
Everything works as expected when passing response_types=code and I'm able to retrieve the refresh token as well.
But once I change response_types to response_types=code id_token, I get 404 when my external idp redirects back to the Azure web app.
The redirect uri which throws 404 looks like https://{tenant-name}.b2clogin.com/{tenant-name}.onmicrosoft.com/oauth2/authresp#code=XXX&id_token=YYY
The technical profile:
<TechnicalProfile Id="External-oauth2">
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="response_types">code id_token</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="authorization_endpoint">AUTH_ENDPOINT</Item>
<Item Key="AccessTokenEndpoint">ACCESS_TOKEN_ENDPOINT</Item>
<Item Key="ClaimsEndpoint">CLAIMS_ENDPOINT</Item>
<Item Key="client_id">CLIENT_ID</Item>
</Metadata>
...