0

I am trying to set up OIDC authentication with the oidc-client-js in a React web application and authenticate against Azure B2C.

After completing the sign-in I get this error: Problem with authentication endpoint: Error: Invalid issuer in token: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/v2.0.

The issuer in the metadata from B2C looks like this: "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0". The link I'm using to get the metadata is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

I looked at the validation code in oidc-client-js and I think they are just doing a string compare between the two values.

Has anyone used oidc-client-js with a B2C IDP?

Is there something I need to configure on the client to make this work?

Is there way to get metadata from B2C that has the tenantid in it?

Eli Pulsifer
  • 713
  • 9
  • 25
  • https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration is not a B2C endpoint. That's regular Azure AD. I can't right now off the top of my head remember the URL for B2C, but it must contain the policy/user flow id. – juunas Dec 13 '19 at 20:49
  • That is the endpoint listed under "Endpoints" in the "Azure AD B2C - App registrations (Preview) blade [here](https://portal.azure.com/#blade/Microsoft_AAD_B2CAdmin/TenantManagementMenuBlade/registeredApps). – Eli Pulsifer Dec 13 '19 at 23:31

1 Answers1

0

The problem was using the common endpoint rather than the tenant specific endpoint.

Tenant specific: https://login.microsoftonline.com/12345678-1234-1234-1234-123456789012/v2.0/.well-known/openid-configuration

Common: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

-juunas was correct that the url was wrong although not for the stated reason.

Eli Pulsifer
  • 713
  • 9
  • 25
  • Ahh so it seems. But did you know that login.msol.com is being deprecated for B2C in favor of b2clogin.com? This is the metadata document for one of my B2C test tenant's password reset policy: https://joonasb2c.b2clogin.com/tfp/joonasb2c.onmicrosoft.com/B2C_1_forgot_pw/v2.0/.well-known/openid-configuration Note the URL contains the policy/user flow id. – juunas Dec 14 '19 at 09:11
  • https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/ – juunas Dec 14 '19 at 09:13