Azure AD B2C token endpoint retruns 404
We use Azure AD B2C as identity provider in one of our applications. We want users to login using their organizational account (Any Azure AD – Multitenant) and personal Microsoft accounts.
Also, we use Custom Policies and relevant ClaimsProvider is configured as below (in TrustFrameworkExtensions.xml):
<ClaimsProvider>
<Domain>workandpersonalaccounts</Domain>
<DisplayName>Microsoft Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MSA-OAuth2-work-and-personal-account">
<DisplayName>Microsoft Work Account with OAuth2</DisplayName>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
<Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="client_id">XXXXXXXXX</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="scope">openid email offline_access files.read user.read</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_SecretKey"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AAD" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="ms_access_token" PartnerClaimType="{oauth2:access_token}"/>
<OutputClaim ClaimTypeReferenceId="ms_refresh_token" PartnerClaimType="{oauth2:refresh_token}"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
(Please note that above ClaimsProvider uses OAuth2 instead of OIDC as we need to get the refresh_token from the user’s account.)
Our application use OIDC authorization code flow, to authenticate user with AAD B2C. That work perfectly till we exchange the code for token.
We use following POST method to invoke the token endpoint.
https://{{tenant}}.b2clogin.com/{{tenant}}.onmicrosoft.com/{{policy}}/oauth2/v2.0/token?client_id={{client_id}}&client_secret={{client_secret}}&code={{code}}&grant_type=authorization_code&redirect_uri={{redirect_uri}}&scope={{scope}}
But for that we get HTTP 404 error. However that user account successfully get created in the AAD B2C tenant.
Interesting thing is, this works without an issue, when we change the AccessTokenEndpoint and authorization_endpoint, in the above mentioned ClaimsProvider, as below:(note that instead of common we have used consumers):
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/consumers/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize</Item>
But with that change, Organizational users can’t login. Only the personal MS account users can login.
Any suggestion to get this work?