The Setup & Repro is pretty straight forward:
- Create AD B2C Tenant
- Add Custom Domain and verify & make primary
- Add Google Provider (I guess any Social but I just used google)
- Create App Registration following all the integration assistant steps for Web App
- Setup https://jwt.ms as redirect target
- Setup SignupSignin flow
- Leave Claims empty for simplicity
- Create CDN Endpoint to point to <tenant>.b2clogin.com
- Disable Caching through global rules (bypass cache)
- Add Custom domain to it & enable HTTPS
- Wait for CDN to work (An hour or two perhaps?)
- Verify https://login.custom.tld/<B2C-tenant-ID>/B2C_1_<UserFlowName>/v2.0/.well-known/openid-configuration returns correct data
Now you can try using:
https://<B2C-tenant-Name>.b2clogin.com/<B2C-tenant-ID>/oauth2/v2.0/authorize?p=B2C_1_<UserFlowName>&client_id=<AppID>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=code&prompt=login
This will work as it does not use the CDN.
But using the CDN will not work:
https://login.custom.tld/<B2C-tenant-ID>/oauth2/v2.0/authorize?p=B2C_1_<UserFlowName>&client_id=<AppID>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=code&prompt=login
Interestingly enough the user through Social does end up being created in AD but the user gets an error like:
Correlation ID: fe631c87-45be-4b67-bbe9-39dd575e4ca4
Timestamp: 2021-07-23 08:58:58Z
AADB2C: An exception has occurred.
The Audit Log to the ID yields:
Date 7/23/2021, 10:58 AM
Activity Type Evaluate conditional access policies
Correlation ID fe631c87-45be-4b67-bbe9-39dd575e4ca4
Category IdentityProtection
Status failure
Status reason N/A
It suggests some Conditional Access Policies but the brand new AD B2C Tenant has none.
Any Clues?