I am using Azure Active Directory B2C in an application(Xamarin.forms). When i try to call the azure login page (which is a sign-in-policy), i am prompted with the following error:
"We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: xxxxxxx-xxxxxx-xxxxxx-xxxxxxx
Timestamp: 2021-01-28 17:08:40Z
AADB2C90011: The client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' provided in the request does not match client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' registered in policy"
i dont know what is going on, application id seems correct.
How do i fix it?
The client ID may be missing or incorrect in the Web.config file for the app.
You could have a try with follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
Related
I have created a custom identity provider in adb2c for my openid connect server but getting error while running it through User Flow -
Setps I did :
Created a new openId Connectprovider.
Created a new user flow for open-id connect provider :
I am not sure how to debug this through adb2c as that's a quite generic error and if I am missing any steps.
This issue may cause if your client ID is incorrect in the web.config file for the app
Try to Open Web.config file for the app
In Web.config file,try to find the app key ida:ClientId.
The client ID provided in the portal for your app should be used as the value of the app key.
The file's modified section looks like
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
Credits to MsDoc
When I run signupsignin user flow in Azure B2C portal to test Open ID Connect (external Azure Tenant login), received below error.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 6744ccb7-eb8d-47f6-bb0a-bcd2f84f5771
Timestamp: 2021-08-04 04:10:53Z
ConnectionTimeOut: An exception has occurred.
This article describes a similar error that occurs when you try to sign in to an app that's set up for Azure AD B2C
Cause: The client ID may be missing or incorrect in the Web.config file for the app.
Resolution
To fix this issue, follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
References:
troubleshooting-with-application-insights
azure-ad-b2c-importing-in-users
Could be the case:
Make sure you are using the API Key and API Key Secret.
Not the ClientId and Client Secret
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-twitter?pivots=b2c-user-flow
I have already implemented this: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native sample into an external app, but i got errors while login with an openid identity provider.
To reproduce this problem I checked out the latest master of the sample, tried to reproduce this error within the solution and it also occurs there.
I just changed the B2CConstants file values and everything is working for local accounts.
In my Azure B2C I have created 2 identity providers for different AD's in my signin/signup policy.
For Android and iOS everything works fine as expected, also the login with the identity provider.
If I log in with the UWP App via the identity provider i get the following error:
"We can't connect to the service you need right now. Check your network connection or try this again later."
This message shows up in the external Popup Window after Login (normally it should redirect back to the App without error)
In my external app, sometimes its possible to login via the identity provider if I first login with local account ⇒ logout and login again with identity provider credentials. But its not really a workaround because the error comes again on the next login.
I configured the identity provider with following documentation:
https://learn.microsoft.com/de-de/azure/active-directory-b2c/tutorial-add-identity-providers
I tried following things:
add Capabilities:
<Capabilities>
<Capability Name="internetClient" />
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="privateNetworkClientServer"/>
<uap:Capability Name="sharedUserCertificates"/>
<uap:Capability Name="userAccountInformation"/>
<Capability Name="internetClientServer"/>
</Capabilities>
found it here:
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/137
And tried also setting the registry and redirect url which is created from the app during execution:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/UWP-specifics#properties-of-platformparameter-specific-to-winrt-and-uwp-corporate-network
some additional information, I developed the identity provider login with a signIn/signUp (default) policy, that was working at the beginning, the error occurs only sometimes.
After I changed to a only signin (default) policy, the error occurs nearly every time (only works with the workaround which i described already).
Im not quite sure what im missing or doing wrong, hope someone can help me.
Thank you!
So I'm using postman with the OAuth 2.0 process to try to authenticate against my WebApi over Azure Active Directory. I am still on the default project with the basic ValuesController, just trying to get authentication and authorization to work.
I've followed this video to setup postman, and as far as I can tell, I've configured the new applications in active directory as described.
The token exchange is working. And the Authorization Bearer {token} is being sent correctly. Here is an example token:
{Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyIsImtpZCI6IlliUkFRUlljRV9tb3RXVkpLSHJ3TEJiZF85cyJ9.eyJhdWQiOiJodHRwczovL2J1Y2tldHMub25taWNyb3NvZnQuY29tL2J1Y2tldHMtcmVzdC1hcGkyMDE2MDkwMzEwNDAzMSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzIwYmI2ZmEwLTU0OTItNDk0My05MjkwLWRiMWJkMTU3YjFkMS8iLCJpYXQiOjE0NzM5MTg3MDAsIm5iZiI6MTQ3MzkxODcwMCwiZXhwIjoxNDczOTIyNjAwLCJhY3IiOiIxIiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjlkZWVmMWFlLWU0MmYtNDg4ZC04MmY3LWUwMWRjYzNkMzE5NyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiSWppZGFraW5ybyIsImdpdmVuX25hbWUiOiJBeW8iLCJpcGFkZHIiOiI3MC4xNzMuNDAuMjIiLCJuYW1lIjoiQWRtaW4iLCJvaWQiOiJmMTljY2Q5ZC1iMDZhLTQ0MGUtYmE3Ni05NWRjNGE4NDY3ZjEiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJMMHkzeUVwRGdRMHV2MG0wZWNKcFFIeVpZNHkzYTk3UUpnNGl6WlpzZmNVIiwidGlkIjoiMjBiYjZmYTAtNTQ5Mi00OTQzLTkyOTAtZGIxYmQxNTdiMWQxIiwidW5pcXVlX25hbWUiOiJhZG1pbkBidWNrZXRzLm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6ImFkbWluQGJ1Y2tldHMub25taWNyb3NvZnQuY29tIiwidmVyIjoiMS4wIn0.NXpvslBXOpRNkmWQqj7XqVzloS3KoeSqPIlo-yUPGYkZ4bHPrAH6yD4sxMYz-19VIPFRDUMP-5h5hmaMKmuykjNUltz6wejQT9f4IeV6i7VtP3BlkfASZeAdKAiSjKh6ydV8PuJjV2HHh2WvxIKC3QQXzROwWAdeXLcgMTiKSBMULzFV8BsecgtI86_L2OISgbQZ2LgF137EPJoG7C4L1IO-10T1QIVl-Emy6AS0VKVxdzjCgiT-DFtccxME6n1CruoDy6mTKztcAkiFR1IlgY6Fvj-Y_goMQyxA5sCRebWnOQ5jeUKv4KNyNWOLJU_RiZYe0kj4IT3KDc9jjtHykg}
However, even though I get the token successfully and when I step through the debugger in VS, I see the token coming in, Authorization is failing. I get the following response:
{"Message":"Authorization has been denied for this request."}
The issue seems to be on the server side. When I override IsAuthorized to return true, it works.
In Azure, both applications are in the same directory with delegate permissions on.
Are there any logs I can check to see the exact denial reason? From there I can probably figure out what is going on.
I've turned on tracing, with:
// Web API configuration and services
var traceWriter = config.EnableSystemDiagnosticsTracing();
traceWriter.IsVerbose = true;
traceWriter.MinimumLevel = TraceLevel.Debug;
But it's not really telling me why I get the denial.
So it looks like the Azure AD Directory was somehow corrupted. I think maybe something went wrong with an original concept app that I created. For whatever reason, I cannot delete that app in the Azure portal, and thus can't delete the directory itself.
However, creating a brand new directory, unfortunately, seemed to fix it. I followed all of the same directions.
The only difference, is I added the following to the Web.config: <add key="owin:AppStartup" value="buckets_api.Startup"/>. Whereas, last time I added: <add key="owin:AutomaticAppStartup" value="false"/> to address an api startup issue I encountered with the new template. However, I don't believe that is what resolved the issue.
On a side note, I also noted that Chrome was unable to complete the token exchange in the popup browser without me re-launching the app as admin. I'm not sure if that was also related, as I was getting tokens before, so I don't think so. But I want to document what worked for me in its entirety, in case someone else encounters this in the future.
I have taken over part of a project from a colleague that uses Azure AD B2C.
At the moment we use the list of users in the old Azure portal to get the authentication tokens of users, which we can then tie in with the user entries in our own database. I.e. we copy-and-paste from the columns here:
It would be far more sensible to do this programatically.
The article Azure AD B2C Preview: Use the Graph API includes sample code to download. To get it running I needed these things:
<appSettings>
<add key="b2c:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="b2c:ClientId" value="[Enter the client ID (a.k.a AppPrincipalId) as obtained from the Azure AD Powershell, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />
<add key="b2c:ClientSecret" value="[Enter the client secret that you generated, e.g. ONHJGaI232VenJIboyg8hmTlyNXh0Ef0brRRRNWBRfc=]" />
</appSettings>
I can get the Tenant and the Application ID from the new Azure Portal portal:
and my colleague has passed me the client secret from when he made the directory.
Following the article I now compile the app and run
B2C Get-User
But instead of the expected list of users from our Azure AD B2C directory I get the error message
AADSTS70001: Application my-app-id is not supported for this API version.
Trace ID: a-guid
Correlation ID: another-guid
Timestamp: 2016-07-15 10:27:15Z
How do I programmatically get the users in my Azure AD B2C directory?
Run the powershell commands from here to register a new service principal:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
This new service principal has it's own appId, and it's own client secret.
You mixed some of these (the AppId you chose is from an B2C application, not a B2C/AD Service principal)