1

I am facing the below error in my Razor pages web application using Azure AD B2C during SignUp. "AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1A_SIGNIN and Expected Value : B2C_1A_SIGNUP"

I am using separate B2C custom policies for SignIn and SignUp. I have also created a separate AccountController that sets the PolicyName in AuthenticationProperties and calls the Challenge method.

        public IActionResult SignIn(
            [FromRoute] string scheme,
            [FromQuery] string redirectUri)
        {
            scheme ??= OpenIdConnectDefaults.AuthenticationScheme;
            string redirect;
            if (!string.IsNullOrEmpty(redirectUri) && Url.IsLocalUrl(redirectUri))
            {
                redirect = redirectUri;
            }
            else
            {
                redirect = Url.Content("~/")!;
            }

            var properties = new AuthenticationProperties { RedirectUri = redirect };
            properties.Items[Constants.Policy] = _configuration.GetValue<string>($"AzureAdB2C:SignInPolicyId");
            return Challenge(properties, scheme);
        }

The policy contains simple signup & signin TechnicalProfiles. There is nothing fancy inside it. The SignUp flow works fine, but when it redirects from B2C to web app, it throws the Invalid grant error.

AppSettings.json

"AzureAdB2C": {
    "CallbackPath": "/signin-oidc",
    "Instance": "https://xxx.b2clogin.com/",
    "ClientId": "xxx",
    "TenantId": "xxx",
    "Domain": "xxx.onmicrosoft.com",
    "SignedOutCallbackPath": "/signout/B2C_1A_SIGNIN",
    "SignUpSignInPolicyId": "B2C_1A_SIGNIN",
    "SignInPolicyId": "B2C_1A_SIGNIN",
    "SignUpPolicyId": "B2C_1A_SIGNUP",
    "SignInUrl": "/CustomIdentity/Account/SignIn?redirectUri={0}",
    "SignOutUrl": "/CustomIdentity/Account/SignOut?redirectUri={0}",
    "SignUpUrl": "/CustomIdentity/Account/SignUp?redirectUri={0}"
  }

where, CustomIdentity/Account is the AccountController.

Can anyone please help on this issue? I am not sure where it is going wrong. I did debug on the IdToken that is obtained in the Web App by listening to OpenIdConnectOptions.Events.OnAuthorizationCodeReceived event. On decoding IdToken in jwt.ms, it had the acr claim as B2C_1A_SIGNUP. I am not sure where this Actual Value of B2C_1A_SIGNIN is being returned from.

Any help on this is appreciated.

Thanks!

Jeevan
  • 43
  • 5

1 Answers1

0

The solution was to merge the signup and signin policies in to single policy which can handle both. All issues resolved after merging policies.

Jeevan
  • 43
  • 5