Using the MS documents listed below I have tried repeatedly to authenticate against AAD as an idp and I cannot get it to work. Every time I get the following error:
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:
I read the documents on this error, and cannot find anything that does not match. My question today has anyone actually been able to connect to AAD using B2C as indicated in the documents below without doing any custom coding? If you have actually done this, I would like to know how you did it. And I would like to know what I am doing wrong.
I'm trying to connect to AAD in the base subscription. In this same subscription also resides the B2C tenant. Is that possible, or must it be an external AAD?
Please only respond if you have actually done this.
Documents that I have followed:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp
https://blogs.msdn.microsoft.com/jpsanders/2018/01/30/azure-app-service-error-aadsts50011-the-reply-address-http-azurewebsites-netsignin-oidc-does-not-match-the-reply-addresses-configured-for-the-application/
AADSTS50011: The reply URL specified in the request does not match the reply urls configured for the application
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app#run-the-sample-web-app
https://blogs.msdn.microsoft.com/azuredev/2017/05/30/azure-ad-b2c-kicking-it-up-a-notch-with-support-for-aad-as-idp/
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
This is related to the reply URL that is registered for Azure AD B2C in your Azure AD tenant.
If you're using the your-tenant-name.b2clogin.com domain with Azure AD B2C (recommended), then the reply URL must be set to:
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
If you're using the login.microsoftonline.com domain with Azure AD B2C, then it must be set to:
https://login.microsoftonline.com/te/your-tenant-name.onmicrosoft.com/oauth2/authresp
Related
We have a Drupal site setup to login with Azure AD via a third party OpenID connect module.
This is linked to an Azure AD app registration in single tenant mode.
When a user visits the site whilst logged-in to an account that isn't in our tenant, they see an error message similar to this:
Message:AADSTS50020: User account 'XXXXX#example.com' from identity provider 'https://sts.windows.net/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/' does not exist in tenant 'TENANT NAME' and cannot access the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(SITE NAME) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This message is completely incomprehensible to most of our users. I'd like to change it to something more meaningful such as
Please login with an INSTITUTION NAME account to access this site e.g.: username#ourdomain.com
Is this something that can be configured within the Azure AD app registration? Or elsewhere in our tenancy configuration?
In case of azure ad B2C you can create a custom error page using a technical profile based on localization or a custom policy error page. But in case of regular Azure AD (B2B), there is no way to specify custom error messages or error pages.
If there is any case where the error message is passed back to your application. there may be a possibility to deal with it as you can configure through code as required but there isn't any guidance regarding error passed to backend .
I configured a new Azure AD B2C Tenant for testing purposes. I am trying to follow the example to use Azure AD B2C with Android.
https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth
I created beside the B2C Tenant already a User Flow for the login.
During the authentication flow the app wants to read the "well known openid configuration" for my User Flow
https://login.microsoftonline.com/geomobilestage.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_signin
but the URL returns a 404 error. But when I try the following URL to read the configuration I receive http status 200
https://geomobilestage.b2clogin.com/geomobilestage.onmicrosoft.com/B2C_1_login_signin/v2.0/.well-known/openid-configuration
The URLs are public so everyone can try to call them in the browser to see the result.
So the configuration itself exists and seems to be ok. I have already another Azure AD B2C tenant and when I try to call the first URL for this tenant everything is fine. It seems to be that I am missing some configuration in the Azure portal but I really have no idea what I am missing and even where to look.
Regards
Michael
For Azure AD, see here:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
For Azure AD B2C, see here:
https://{domain-name}.b2clogin.com/{domain-name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
The key thing here is to realize that the b2c config endpoint has a reference to a policy in it, otherwise it’s likely AAD.
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content