This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 42%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
I have an Azure AD B2C Custom Policy defined with OpenId Connect. I ahve four custom claims added in the policy and they correctly appear in the response (id_token) of the policy when tested using the B2C Custom Policy 'Run Now' menu in Azure portal.
I want to integrate this custom policy as a Federated Identity Provider in AWS Cognito User Pool. I have followed the standard process to integrate the same. When tried to test this integration through 'Hosted UI' alternative in AWS, I get an error like below - 'No access token in IdP response'. I have verified with AWS Support and various logs in AWS. In this case, AWS Cognito does receive the auth code from B2C Custom Policy, however token request does not seem to go correctly. AWS Support mentioned that this could be due to incorrect scope values defined.
For the custom policy, I am using the identity experience framework.
As part of the same, have registered 'IdentityExperienceFrameworkApp', 'ProxyIdentityExperienceFrameworkApp' and a main app 'myapp' in B2C tenant app registrations.
For 'IdentityExperienceFrameworkApp', a user_impersonation scope has been added and admin consent given. The scope value is in the format https://{mytenant}.onmicrosoft.com/{client_id for IdentityExperienceFrameworkApp}/user_impersonation. This app also has openid and offline_access api permissions.
For 'ProxyIdentityExperienceFrameworkApp', under api permissions, openid, offline_access and 'IdentityExperienceFrameworkApp's user_impersonation scope has been added. Also given admin consent for the same.
For the main app 'myapp', under api permissions, openid, offline_access and 'IdentityExperienceFrameworkApp's user_impersonation scope have been added.
Currently, I am using the below scopes when requesting from Cognito - openid profile email offline_access {myapp_client_id}
In the above scope, {myapp_client_id} is the client id for the application registered in Azure AD B2C and which is used to configure the app client in AWS Cognito.
If we look at this documentation for OpenId Connect Scopes, there are three scopes quoted -
openid - To request id_token
offline_access - To request refresh token
00000000-0000-0000-0000-000000000000 - Client Id as the scope
Can you clarify what will be this client id value to be added in the scope? Will it be same as {myapp_client_id} described above.
In the request example here, the scope parameter has a value of <application-ID-URI>/<scope-name>
Kindly help to address this issue as I am stuck with it from almost couple of weeks and need to resolve it urgently.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Anand Patil ,
Thanks for reaching out.
The applications you registered IdentityExperienceFrameworkApp and ProxyIdentityExperienceFrameworkApp are the basic setup for any custom policy.
To use Azure AD B2C as IDp for Amazon Congnito, you need to register one new B2C application by passing Amazon Cognito hosted UI domain name in redirect URL.
Now to add this application as open id connect IDP in user pool,
Take the client id of the above registered application with scope openid , profile.
Reference - https://dev.to/danielbayerlein/how-to-use-azure-ad-b2c-as-idp-for-amazon-cognito-28nj
Hope this will help.
Thanks,
Shweta
I am using the correct web app client id registered in B2C. Added that as the scope along with - openid email profile offline_access.
I am still ending up with the below error -
Bad+id_token+issuer+https%3A%2F%2F{mytenantname}.b2clogin.com%2F{tenant-id}%2Fv2.0&error=invalid_request
Kindly share your inputs in this regard.
Could you please share the whole request you are sending to get token.
@Shweta Mathur Unfortunately, I am unable to log the token request when its being triggered from AWS Cognito. I can share the details of configurations I have done in AWS. Here are the details of the same -
Configurations of B2C Custom Policy as a Federated Identity Provider in AWS Cognito -
Attribute mapping in Cognito -
Authorized Scopes for federated identity provider -
The clientid in the above image is the client-id for the new app registered in B2C tenant, which is also being used (along with its secret) for configuring the app client in AWS Cognito.
Attribute request method - GET
All other endpoint URL's - Issuer, Authorization, Token, UserInfo & Jwks_Uri are same as I get in the .well-known-openid-configuration for the B2C Custom Policy.
The issuer URL is of the format - https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{custom-policy-name}/v2.0
The 'Hosted UI' in AWS Cognito is being used to test this federation. In here, I am using https://jwt.ms as the 'Allowed Callback URL'.
OAuth 2.0 grant types - Authorization code grant
I have manually tried testing this flow using the endpoint URL's and trigerring them individually from Postman. All the endpoint do give me correct results.
Does the error 'Bad+id_token+issuer+https%3A%2F%2F{mytenantname}.b2clogin.com%2F{tenant-id}%2Fv2.0&error=invalid_request' have something to do with the issuer defined in the custom policy ? In my case, the custom policy has the issuer defined in the format - https://{tenantname}.b2clogin.com/{tenantid}/v2.0
This is different from the issuer url in AWS Cognito.
If you need any more inputs, do let me know.
The client ID value that needs to be added in the scope for Azure AD B2C custom policy is the client ID of the IdentityExperienceFrameworkApp. This is the same client ID that was recorded in the earlier step. The scope value should be in the format https://{mytenant}.onmicrosoft.com/{client_id for IdentityExperienceFrameworkApp}/{scope-name}. In this case, the scope name is user_impersonation.
It is also important to ensure that the correct scope values are defined in the AWS Cognito User Pool. The scope values should include openid, profile, email, offline_access, and the user_impersonation scope.
If the issue persists, it may be helpful to check the logs in both Azure AD B2C and AWS Cognito to identify any errors or issues with the token request.
References: