Azure AD B2C Custom Policy with external identity provider Error AADB2C90289 - azure-ad-b2c

I have successfully configured an external identity provider using Azure AD B2C Custom policy. The authorize endpoint is passed correct acr_values too. As I launch the authorize endpoint, I am taken to the login screen from identity provider. As soon as I enter my credentials and hit 'Login',I expect the authentication response to be redirected to my B2C /auth/resp URL (https://<>.b2clogin.com/<>.onmicrosoft.com/oauth2/authresp), configured with the identity provider.
However, I end up getting an exception as below -
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: ef54294f-2a9d-4e18-bc03-511bcc713cde
Timestamp: 2022-10-10 04:04:09Z
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 42dc0316-16d5-4f5b-9552-6cc4d2f3e233
Timestamp: 2022-10-10 09:38:51Z
I have also tried verifying the client_id and client_secret being used and that seems to be fine. Moreover, logs on the identity provider side mention that the request was successful.
Awaiting quick responses, as this blocks my application completely.
Application Insights details -
Exception Message:An internal error has occurred., CorrelationID:145303ec-b8e8-4fc1-bd5d-6649bd1fb77f

I tried to reproduce the same in my environment:
This error , AADB2C90289: We encountered an error “” connecting to the identity provider. Please try again later. occurred ,
when I haven’t given the clientSecret of the app correctly in the azure ad b2c.
I kept it to generate.
Later I manually changed the policy keys and gave the application client secret in the key value.
In your external Identity provider technical profile, make sure to -provide the clientId of that particular Identity provider
Ex:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!Below replace clientId with the externalIdentity provider App/ClientId "-->
<Item Key="client_id">XXX0000XXX</Item>
....

Related

Azure AD B2C with OpenID Connect getting error AADB2C90238: The provided token does not contain a valid issuer

I added and configured an OpenID Connect Identity Provider.
I set the return URL in the provider correctly.
I'm using the "Sign up and Sign in" user flow -- not a custom policy.
Running through the user flow, I ultimately get redirected to my application .../MicrosoftIdentity/Account/Error (or if I set return url to jwt.ms, I get the same error) with the page indicating the error
AADB2C90238: The provided token does not contain a valid issuer
How can I even see the issuer in the token? (It's all handled inside AD B2C service).
I can see what's listed in the provider's .../.well-known/openid-configuration endpoint. I guess that's what's not matching in the token. I've seen suggestions of using Application Insights Logs to view the token -- but, apparently, that can only be done with custom policies.
Is there another way to tell AD B2C not to validate the issuer? Or is another way to handle this issue?
I tried to reproduce the same in my environment.
Open Id configuration is like below:
Where the metadata url is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Authorization request looks like below:
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=xxxxx5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
I received the same error :
With redirect uri: https://jwt.ms
Error: invalid_request
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
With redirect uri: https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/authresp
So here the redirect Uris are correct and need to correct the metadata url :
Created an OpenId provider with meta data url having tenantId instead of organizations .
https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
Run the user flow with this Identity provider
Could login successfully and get the access token with endpoint
Note: make sure it has the policy included:
I have p=B2C_1_newSignupSignin
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=1xxxxe2a5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Here the issuer is of V2 endpoint "iss": "https://kavyasarabojub2c.b2clogin.com/<tenantId>/v2.0/"
Reference : Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
Edit:

Azure B2C login issue

When I run signupsignin user flow in Azure B2C portal to test Open ID Connect (external Azure Tenant login), received below error.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 6744ccb7-eb8d-47f6-bb0a-bcd2f84f5771
Timestamp: 2021-08-04 04:10:53Z
ConnectionTimeOut: An exception has occurred.
This article describes a similar error that occurs when you try to sign in to an app that's set up for Azure AD B2C
Cause: The client ID may be missing or incorrect in the Web.config file for the app.
Resolution
To fix this issue, follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
References:
troubleshooting-with-application-insights
azure-ad-b2c-importing-in-users
Could be the case:
Make sure you are using the API Key and API Key Secret.
Not the ClientId and Client Secret
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-twitter?pivots=b2c-user-flow

Azure AD B2C Authentication using root and client certificate

I have a client API which implements MSAL to fetch access token from Azure AD B2C. This API authenticates with AD B2C tenant using certificate and not secret. The issue is when I try to authenticate using root certificate which is uploaded in AD B2C and client certificate which is pass from the client API it fails with an exception.-
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'FE5D9FEF5D0D528B8ED641727E903E50953D44CE', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'f3bfc1b2-f1b2-4552-9145-7019c8683a41'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/f3bfc1b2-f1b2-4552-9145-7019c8683a41']
Trace ID: 59cf24e3-96bb-48ca-8d4b-f8cf0e5d0e00
Correlation ID: 496261ed-31c3-46c1-9fdb-a59c966ddf3d
Timestamp: 2020-12-28 08:16:12Z
As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.

unable to get SAML metadata for Azure AD B2C custom policy

Setting up a custom policy in Azure AD B2C to connect to a SAML Identity Provider. This requires a SAML metadata endpoint to get the SSO URL and other information.
As per Microsoft documentation the End point link is :
https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I tried this way but I am constantly getting the same error :
Unable to return metadata for the policy 'B2C_1A_TrustFrameworkExtention' in tenant 'Mytenant.onmicrosoft.com'.
Is this error due to some fault in my policies ?
Typo?
The usual name is:
TrustFrameworkExtensions
You have:
TrustFrameworkExtention

Need Help on ROPC flow with Azure AD B2c Custom Policies

we are trying to implement ROPC flow in Azure AD B2C.
I have gone through the B2C Advanced policies and the instructions provided as per below links to configure with B2C Custom Policies and facing some issues.
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/source/aadb2c-ief-ropc
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/B2CROPC/yourtenant.onmicrosoft.com_B2C_1A_ResourceOwnerv2%20SINGLE%20FILE%20-%20Copy.xml
Though we have provided correct username and password, we are getting
{
"error": "access_denied",
"error_description": "AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID:
8c15d7ab-ba5b-4baf-be5a-8bfdb9939164\r\nTimestamp: 2019-01-23
06:18:19Z\r\n" }
I could resolve this problem. In my case, I followed this link:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom
But had the same error message.
In step 4 I had to add values for "client_id" and "resource_id". I used the values that I had in another profile ("login-NonInteractive").
And the flow worked successfully.
Have you registered your ProxyIdentityExperienceFramework application as Native?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
Registering the ProxyIdentityExperienceFramework application as WebApp/WebAPI might result in this error.

Resources