Azure AD B2C breaks OIDC spec

JohnB
June 28, 2022
139 views
1 vote
2 Answers

I’ve configured a custom policy with AAD B2C IEF per this link and am now trying to integrate it into API Gateway as a JWT authorizer per this link.

However, attempting to configure the authorizer throws an error

error updating API Gateway v2 authorizer
BadRequestException
Caught exception when connecting to https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.well-known/openid-configuration for issuer https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Please try again later.
Error:
Invalid issuer:
https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Issuer must have a valid discovery endpoint ended with ‘/.well-known/openid-configuration

The actual discovery endpoint is https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration, however, that returns a doc as below, which has a different issuer than the discovery URL.

{
  "issuer": "https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/",
  "authorization_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "jwks_uri": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "email",
    "sub",
    "tid",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Looking at this issue and the spec, it looks like AAD is not spec compliant.

Is there any way to get this to work or do I have to move to a spec-compliant OIDC provider?

Answers

Chosen as BEST ANSWER
- JohnB
- July 5, 2022 at 1:38 am
- 0 votes
0
In addition to the answer by @kavyasaraboju-MT, if you're using custom policies, you must set the IssuanceClaimPattern to AuthorityWithTfp in the JwtIssuer Tehcnical Profile per these docs.

e.g. using the LocalAccounts pack in active-directory-b2c-custom-policy-starterpack, add the element <Item Key="IssuanceClaimPattern">AuthorityWithTfp</Item> to the <Metadata> element

(Edit)

- kavyaS
- July 3, 2022 at 9:23 pm
- 0 votes
0
Please try to configure issuer URL including tfp for token compatibility.

For more details see: Token compatibility
which says:

Note : iss claim i.e; issuer identifies tenant of azure ad b2c that
issued the token. Usually the value is some thing like this
:https://<domain>/{B2C tenant GUID}/v2.0/

But If your application or library needs Azure AD B2C to be
compliant with the OpenID Connect Discovery 1.0 spec, use this
https://<domain>/tfp/{B2C tenant GUID}/{Policy ID}/v2.0/ as it
includes IDs for both the Azure AD B2C tenant and the user flow that
was used in the token request.

For example:
```
“issuer” : “https://your-tenant-name.b2clogin.com/tfp/c5b2xxxxxxxxx0-8axxxxxx3d3b/B2C_1A_signin/v2.0/”
```
or
```
https://{tenantID}.b2clogin.com/tfp/{tenantID}/{policy-name}/v2.0/
```
References:
1. Configure the Azure Active Directory B2C provider manually – Power
  Apps | Microsoft Docs
2. AzureAD Authentication with AWS API Gateway v2 JWT Authorizers |
  rayterrill.com
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.