B2C Custom Policy error with client certificates

Marina Gurevich 56 Reputation points
2021-10-22T15:21:50.517+00:00

I am using B2C custom policies to federate to the external Azure AD Identity Provider. I was successful before when federating with client secrets, but trying to switch to certificates now, and getting an error "No url encoding for asymmetric keys". Here is what I did as a Proof Of Concept:

  • Generated a new self-signed certificate in Azure keyvault
  • Exported it into the .pfx and .cer files.
  • In B2C created a Policy key and uploaded the .pfx certificate there
  • In custom policy referenced that policy key

<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_MyB2CPolicy" />
</CryptographicKeys>

  • In Azure AD app registration under Certificates and Secrets uploaded the .cer file (with public key)
  • Tried to connect using MSAL.js
  • Received a "server error" with correlation id, which in appinsights shows up as

{
"Key": "SendErrorTechnicalProfile",
"Value": "OpenIdConnectProtocolProvider"
},
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "An invalid OAuth response was received: \"{0}\".",
"Data": {
"IsPolicySpecificError": false
},
"Exception": {
"Kind": "Handled",
"HResult": "80131515",
"Message": "No url encoding for asymmetric keys",
"Data": {}
}
}
}

What am I doing wrong?

Also, is there any documentation on how to do it?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Henry Mao 21 Reputation points
    2022-09-13T06:15:01.333+00:00

    you need upload the private key with the password

    policy keys => upload =>
    240316-image.png

    0 comments