0

I am trying to integrate a Xero to let users authenticate with our SPA app and REST API utilizing Azure B2C. The scenario I am looking for is sign in only for local accounts and Xero users, whose accounts will be created before the first sign up using c# Microsoft.Graph library with user configured as following:

Identities = new List<ObjectIdentity>
{
    new() { // Xero user idp config
        SignInType = "federated",
        Issuer = "https://identity.xero.com",
        IssuerAssignedId = "xero-userid"
    }
}

I was following the Microsoft guide (https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider) on adding a custom identity provider, using https://login.xero.com/identity/.well-known/openid-configuration as a metadata url, also provided the client_id, client_secret as described in Xero docs for authorization code (https://developer.xero.com/documentation/guides/oauth2/auth-flow/) along with response type=code and scopes set to openid profile email. The flow I use is sign in flow with that custom IDP enabled. Unfortunately, after the successful sign-in on the Xero side (provided the username and password) and being redirected back to the SPA app, I can see that the code from xero is passed to a token endpoint, but the redirection to the redirect_uri (same as specified in requests) receives

http://localhost:3000/#error=server_error&error_description=AADB2C%3a+An+exception+has+occurred.%0d%0aCorrelation+ID%3a+90657cd5-4025-4c55-aebf-ab5ee545fbd9%0d%0aTimestamp%3a+2023-08-09+17%3a58%3a26Z%0d%0a&state=eyJpZCI6ImY4NmVmYWNhLWZlNDYtNGMxZS05NmNkLTU1OTUzMmJlMWIzYiIsInRzIjoxNjkxNjAzOTAxLCJtZXRob2QiOiJyZWRpcmVjdEludGVyYWN0aW9uIn0%3d

I tried to follow the endpoints listed in Xero docs which resulted in success, unfortunately , as per docs, the only way to authenticate a request to https://login.xero.com/identity/connect/token proxied by https://<tenantid>.b2clogin.com/<tenantid>.onmicrosoft.com/oauth2/authresp to exchange the code for tokens is using Authentication header with Basic b64(client_id:client_secret) value instead of using the client_id and client_secret body params. The question is - how can I integrate the Xero as an IDP using Azure B2C? It seems I'm missing some kind of transformation for the sign in flow, but is this a scenario covered by a standard flow? If it requires any custom policies, what would one look like for Xero as it seems to be a non-standard implementation of OIDC?

Thank you and have a good one!

user1013607
  • 115
  • 2
  • 13
  • Have you tried with Postman - https://developer.xero.com/documentation/sdks-and-tools/tools/postman/ – rbrayb Aug 10 '23 at 06:57
  • Thanks @rbrayb for the reply! Yes, I have tried the postman collection. It works fine, the problem is that when B2C tries to exchange the code for a token at `https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp` (it's calling https://login.xero.com/identity/connect/token), I get Error 400, but without any details, event with app insights enabled. This unfortunately stops me as I can't even tell which part is wrong. So it seems like Azure B2C and a custom policy thing. – user1013607 Aug 11 '23 at 08:52

0 Answers0