I am trying to get an access token using the password grant type in a POST request from Azure AD B2C. Once sent it gets the below error
"error": "server_error",
"error_description": "AADB2C90108: The orchestration step '1' does not specify a CpimIssuerTechnicalProfileReferenceId when one was expected.\r\nCorrelation ID: .............\r\n"
I have tried with other authentication types like client credintials which is not working azure ad b2c but getting below error
"error": "unsupported_grant_type",
"error_description": "AADB2C90086: The supplied grant_type [client_credentials] is not supported.\r\nCorrelation ID:
How can I resolve this?
The usual reason you get this is that it's missing e.g.
<OrchestrationStep Order="3"
Type="SendClaims"
CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
Are you using a custom policy? What type of policy are you using?
As the error message says, "client credentials" is not yet supported in B2C.
Related
I have an AAD B2C custom policy that has AAD and Microsoft as claims providers, I have tried adding "picture" as an output claim, but that doesn't work.
<OutputClaim ClaimTypeReferenceId="picture" PartnerClaimType="picture" />
Simply doing this for Google as the claims provider does work. What can I do to have a claim that will output the picture url in the token for AAD and Microsoft?
I've registered SAML application using the MS ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
My SignUpOrSignin.xml has the outputclaim tags to return email attribute value as SAML response, but I'm getting rest of the attributed value except use account email in SAML response. I've confirmed that user account has valid email value in Azure B2C AD. Not sure what I am missing here? Do I need configure any other setting to get email attribute value in SAML response, please?
Add the outputClaim in AAD-UserReadUsingObjectId.
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="ATTRIBUTE_NAME" />
Usually the email is stored in the attribute: signInNames.emailAddress.
I've been working on implementing group-based access control for a B2C Tenant.
I've setup an API hook (POST) which accepts the user's ObjectId, validates if the user is in the permitted groups through Graph API and returns:
200 OK when successful
409 Conflict when not succesful
Below is the object returned with a 409:
{
"version": "1.0.0",
"status": 409,
"userMessage": "User is not authorized for this application"
}
For some reason, this message is not shown to the user, but rather a redirect occurs to
{{B2cUrl}}/#error=server_error&error_description=AADB2C%3a+User+is+not+authorized+for+this+application%0d%0aCorrelation+ID%3a+...8%0d%0aTimestamp%3a+...%3a03%3a39Z%0d%0a&state=...
In my user Journey, i have included the following orchestra
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="RESTValidateProfile" TechnicalProfileReferenceId="REST-ValidateProfile" />
</ClaimsExchanges>
</OrchestrationStep>
How can i get the user error message shown in the Login page for the user?
You need to call your rest api technical profile from a validation technical profile. The validation technical profile should be configured against the self asserted technical profile (login page) such that it can then return an error to it.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-validation#validate-the-user-input
In its current form, the REST API is called after the page is submitted and a redirect starts. Therefore any error is just sent back to the app, as there is no page rendered at that time.
I have a few APIs (Logic Apps, Functions) that I want to expose through Azure API Management.
They work fine, so I decided to add OAuth2 autorization.
I followed step by step https://learn.microsoft.com/fr-fr/azure/api-management/api-management-howto-protect-backend-with-aad:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Also use Postman to test
Everything works until the "validate-jwt" policy step.
When I add it, I get a "401 - Unauthorized. Access token is missing or invalid."
I can get the token, in Developer Console and Postman, but as soon as I do the API call... 401!
When I used jwt.ms to check the content of the token, I noticed that the aud param has nothing to do with the backend Application ID.
The value in the token is "00000003-0000-0000-c000-000000000000", whereas the backend app ID is like "16caXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXc0".
I'm running out of ideas and need the help of some Azure gurus out there!
Help would be very much appreciated...
Here below the inbound policy as per the MS doc:
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/MY_AD_TENANT_ID/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>MY8BACKEND_APP_ID_GUID</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
Screen cap of the Postman screen where I get the token (this works, but then when I send the request --> 401)
Screen cap of aud param in jwt.ms
I had some problems with validating Azure AD tokens a couple of years back - see my write up.
I suspect the problem is the nonce in the JWT header.
You're not really required to check value of aud parameter. You could remove required-claims alltogether, this way token presence and signature would still be validated. If you want to make sure that token was issued for your app, just find the claim that contains app id and use it in name="..." to match against your app id value.
if using v2 version endpoint, go to -> azure ad -> app registration -> select backend-app -> manifest -> update property "accessTokenAcceptedVersion": 2,"
I am currently trying to implement Oauth2.0 to protect API using below documentation
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
And currently using the DEMO CONFERENCE API provide by azure apim to test the implementation.
And currently receiving error during test in developer portal as :
"message": "JWT Validation Failed: Claim value mismatch: aud=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx.."
Compared the token passed with the claim value by decoding it and its matching.
I have the jwt token validation policy as below
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid." require-expiration-time="false" require-signed-tokens="false">
<openid-config url="https://login.microsoftonline.com/xxxxxxxxx-07c8-xxxxx-xxxx-xxxxxxxxx/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="all" separator="-">
<value>xxxxxxxx-xxxxx-489e-a26e-xxxxxxxx</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
First, you need to validate your JWT token. Then when we register an application its getting registered with version V1 and Access token issuer comes with sts url and if we try to pass Access Token with V2 its failed V2 issuer is login.microsoft.com.
So fix is to go in manifest file "accessTokenAcceptedVersion": 2 for registered applications in AD. Refer to this issue.