Azure AD B2C does not pass an identity provider refresh token to my application

mihael.safaric 1 Reputation point
2021-02-20T23:56:12.133+00:00

Hi,

I'm trying to set up Azure Active Directory B2C to use an existing external identity provider. For that purpose, I configured a custom identity provider through a custom policy which uses a hybrid authentication flow (code id_token).

Additionaly, I want to pass an OIDC identity provider access token and refresh token to my application. My technical profile in the custom policy looks like:

<TechnicalProfile Id="Custom-OpenIdConnect">
  <DisplayName>Custom</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <Metadata>
    <Item Key="METADATA">URL</Item>
    <Item Key="response_types">code id_token</Item>
    <Item Key="response_mode">form_post</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="client_id">CLIENT_ID</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="CLIENT_SECRET" />
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
    <OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}" />
  </OutputClaims>
</TechnicalProfile>

A JWT token passed to the application contains an access token but does not contain a refresh token. The external identity provider returns both tokens (access token and refresh_token) but for some reason it appears that {oauth2:refresh_token} is not set.

Can someone point me in the right direction as I cannot figure out why the refresh token is not set?

Thanks,
Mihael

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2021-02-22T08:26:59.233+00:00

    Hi @mihael.safaric · Thank you for reaching out.

    The {oauth2:refresh_token} parameter requires the technical profile to be using Protocol Name="OAuth2" instead of Protocol Name="OpenIdConnect" that you have specified in your technical profile.

    For more information, please refer to the answers on below threads:

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. mihael.safaric 1 Reputation point
    2021-02-23T18:16:51.507+00:00

    Hi @mihael.safaric · Yes, OAuth2 Technical Profile supports setting the response_types attribute. I have working examples with code and token but not id_token. Although, it should work but please give it a try and let me know if it works. I will then raise a PR to update the doc: https://learn.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile with this information.

    @AmanpreetSingh-MSFT thank you for the response.

    I switched the technical profile from OIDC to OAuth2 as you suggested.
    Everything works as expected when passing response_types=code and I'm able to retrieve the refresh token as well.

    But once I change response_types to response_types=code id_token, I get 404 when my external idp redirects back to the Azure web app.

    The redirect uri which throws 404 looks like https://{tenant-name}.b2clogin.com/{tenant-name}.onmicrosoft.com/oauth2/authresp#code=XXX&id_token=YYY

    The technical profile:

    <TechnicalProfile Id="External-oauth2">  
      <Protocol Name="OAuth2" />  
      <Metadata>  
        <Item Key="response_types">code id_token</Item>  
        <Item Key="response_mode">form_post</Item>  
        <Item Key="scope">openid profile</Item>  
        <Item Key="UsePolicyInRedirectUri">false</Item>  
        <Item Key="HttpBinding">POST</Item>  
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>  
        <Item Key="authorization_endpoint">AUTH_ENDPOINT</Item>  
        <Item Key="AccessTokenEndpoint">ACCESS_TOKEN_ENDPOINT</Item>  
        <Item Key="ClaimsEndpoint">CLAIMS_ENDPOINT</Item>  
        <Item Key="client_id">CLIENT_ID</Item>  
      </Metadata>  
      ...  
    
    
    
      
    
    0 comments No comments