Getting error while testing B2C authentication to customer IDP

Question

Getting error while testing B2C authentication to customer IDP

Admin at PeriGenSolutions 0

AADB2C90273: An invalid response was received : 'Error: invalid_request,Error Description: AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption. Trace ID: 2d80dfc4-e9d4-4f62-a0f8-6c3d91210400 Correlation ID: 230760ed-<removed PII> Timestamp: 2026-03-12 17:36:47Z'

There are no extra logs to diagnose the problem on the B2C side. The customer says they are enforcing PKCE by default.

Can anyone provide any insight?

Sina Salam 28,361 Reputation points Volunteer Moderator

2026-03-15T14:33:02.6933333+00:00
Hello Admin at PeriGenSolutions,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are getting error while testing B2C authentication to customer IDP.

Things you will need to do to eliminate AADSTS9002325 when federating Microsoft Entra ID (external IdP) ↔ Azure AD B2C.

Configure the customer’s Microsoft Entra ID (external IdP)

Register (or update) the app as a Web (confidential) application. Entra portal > App registrations > New registration > Platform = Web. This aligns with B2C’s server‑side code redemption at /oauth2/authresp. - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant

Add the B2C auth response redirect (lowercase). https://<b2c-tenant>.b2clogin.com/<b2c-tenant>.onmicrosoft.com/oauth2/authresp If you use a B2C custom domain, use: https://<custom-domain>/<b2c-tenant>.onmicrosoft.com/oauth2/authresp (Keep it lowercase per docs.) - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant, https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain

Create credentials for federation in Certificates & secrets > New client secret (or upload a certificate). You’ll paste this in B2C’s IdP config. https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant

Publisher verification is optional but it improve consent UX if users will see a consent screen (especially for multitenant apps). - https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview

Configure Azure AD B2C (your tenant)

Add the external IdP (OpenID Connect). B2C > Identity providers > New OpenID Connect provider with Metadata URL such as https://login.microsoftonline.com/{customer-tenant}/v2.0/.well-known/openid-configuration

- Client ID / Client secret: from step A. - Scopes: openid profile - Map claims (Identity provider claims mapping): User ID = oid Display name = name Given name = given_name Surname = family_name Email = email

Attach the IdP to your user flow (or custom policy) and test quickly. From User flows > Identity providers > add the new IdP.

Run user flow using a testing reply URL like https://jwt.ms to see the decoded ID token immediately.

To avoid regressions:

Use b2clogin.com (or your custom domain) everywhere for B2C endpoints & redirects—don’t use login.microsoftonline.com for B2C policy endpoints. (It’s the documented migration path.).

Keep the /oauth2/authresp redirect lowercase in the external Entra app.

Do not register B2C’s authresp under a SPA platform in the customer’s Entra app—B2C federation uses a Web/confidential app.

If you use a custom domain, ensure your redirects and policy endpoints use that domain consistently.

Run the B2C user flow > pick the new IdP > complete sign‑in > you should land on jwt.ms with a decoded ID token (no AADSTS9002325). https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant

If you still hit AADB2C90273 with AADSTS9002325, re‑check:

External Entra app

Platform is Web (not SPA).

Redirect includes the exact lowercase .../oauth2/authresp.

A valid client secret (or cert) exists.

Domains and endpoints

b2clogin.com (or your custom domain) is used for all B2C endpoints and the external app’s redirect.

B2C IdP config

Metadata URL points to the correct customer tenant (e.g., .../contoso.com/v2.0/.well-known/openid-configuration).

Then retry the user flow (allow a short interval if you just changed app redirect settings).

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-03-17T11:53:11.9966667+00:00

Admin at PeriGenSolutions could you please comment and let me know if you need any further assistance on this.

1 answer

Your answer

VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-03-17T11:53:11.9966667+00:00

Admin at PeriGenSolutions could you please comment and let me know if you need any further assistance on this.

Answer 1

Hello Admin at PeriGenSolutions,

The error is not originating from Azure AD B2C itself. AADB2C90273 is a generic B2C error indicating that the external IdP (customer’s Entra ID tenant) returned an invalid response. In your case, the actual failure is AADSTS9002325, which is enforced by the customer’s Entra ID.

This usually happens when the Entra ID app registration used as the identity provider for B2C is configured as a SPA, while B2C performs the authorization‑code exchange via its server-side /oauth2/authresp endpoint. When marked as SPA, Entra expects PKCE for cross‑origin code redemption, which does not align with how B2C completes the federation flow.

Recommended fix:

In the customer’s Entra ID tenant, update the app registration used for B2C federation to a Web (confidential) application

Add the redirect URI: https://<b2c-tenant>.b2clogin.com/<b2c-tenant>.onmicrosoft.com/oauth2/authresp

Ensure the IdP is configured in B2C using a client secret or certificate

PKCE can remain enforced for the customer’s own SPAs, but B2C federation should use a Web/confidential client configuration. Once this alignment is corrected, the AADSTS9002325 error typically resolves.

Please have the customer validate this configuration on their Entra ID side and retry the user flow.

Share via

Getting error while testing B2C authentication to customer IDP

1 answer

Your answer