This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 79%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We use Azure AD B2C as identity provider in one of our applications. We want users to login using their organizational account (Any Azure AD – Multitenant) and personal Microsoft accounts.
Also, we use Custom Policies and relevant ClaimsProvider is configured as below (in TrustFrameworkExtensions.xml):
<ClaimsProvider>
<Domain>workandpersonalaccounts</Domain>
<DisplayName>Microsoft Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MSA-OAuth2-work-and-personal-account">
<DisplayName>Microsoft Work Account with OAuth2</DisplayName>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="ClaimsEndpoint">https://graph.microsoft.com/v1.0/me</Item>
<Item Key="ClaimsEndpointAccessTokenName">access_token</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="client_id">XXXXXXXXX</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="scope">openid email offline_access files.read user.read</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_SecretKey"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AAD" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="ms_access_token" PartnerClaimType="{oauth2:access_token}"/>
<OutputClaim ClaimTypeReferenceId="ms_refresh_token" PartnerClaimType="{oauth2:refresh_token}"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
(Please note that above ClaimsProvider uses OAuth2 instead of OIDC as we need to get the refresh_token from the user’s account.)
Our application use OIDC authorization code flow, to authenticate user with AAD B2C. That work perfectly till we exchange the code for token.
We use following POST method to invoke the token endpoint.
https://{{tenant}}.b2clogin.com/{{tenant}}.onmicrosoft.com/{{policy}}/oauth2/v2.0/token?client_id={{client_id}}&client_secret={{client_secret}}&code={{code}}&grant_type=authorization_code&redirect_uri={{redirect_uri}}&scope={{scope}}
But for that we get HTTP 404 error. However that user account successfully get created in the AAD B2C tenant.
Interesting thing is, this works without an issue, when we change the AccessTokenEndpoint and authorization_endpoint, in the above mentioned ClaimsProvider, as below:(note that instead of common we have used consumers):
<Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/consumers/oauth2/v2.0/token</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize</Item>
But with that change, Organizational users can’t login. Only the personal MS account users can login.
Any suggestion to get this work?
For this, are you attaching the params in the body but not as query params?
https://{ {tenant}}.b2clogin.com/{ {tenant}}.onmicrosoft.com/{ {policy}}/oauth2/v2.0/token?client_id={ {client_id}}&client_secret={ {client_secret}}&code={ {code}}&grant_type=authorization_code&redirect_uri={ {redirect_uri}}&scope={ {scope}}
Does the 404 error includes more detail? Is it happening during the POST to the aformentioned URL?
All params are in query params. Also that works when I change those AccessTokenEndpoint and authorization_endpoint nodes as I mentioned in the description.
No, 404 error doesn't show any additional details.
Yes it is happening during the POST to that URL. In other words when we try to get the id_token and other tokens by exchanging the code which we received from IDP.
hi @alfredo-revilla-msft , do you see any invalid configuration which I have done? Thank you for your support.
@SampathDilhan-7447 I will reach within the B2C team and come back to you. In the meantime I suggest to avoid posting to the token endpoint using query params and instead include them as x-www-form-urlencoded body params.
@sampathdilhan-7447 i'm reaching within the product team and will get back to you.
Thank you Alfredo! This works with that change.